Without question, we are seeing security become top of mind for leadership. Many organizations are becoming fearful of the almost certain prospect, that they will become victims of a data breach and/or ransom-ware in the near future. More than ever, firms need to take an offensive position and actively secure their organizations–the first step is knowledge.
Here is a primer for developing and managing a Cyber Security & Consumer Privacy process to help you and your firm become more secure. This is a straight-forward process, we use at Ascension, to help companies achieve high levels of security compliance.
The initial, and perhaps most critical step is to determine your company’s current security posture. A structured and reliable assessment should always involve reviewing current policy, procedures, technical environments and other security related functions that are standards based. Ascension employs a proprietary toolset using a wide spectrum of generally accepted practices. We align and match numerous general accepted standards, such as ISO/IEC 27001, NIST 800-53, ISA 62443, COBIT 5, CIS CSC, CCPA, GDPR, PCI DSS and other standards into a concise assessment tool to simplify the assessment process and reporting. By having a structured assessment, you and your team will be able to scope security tasks necessary to achieve compliance.
After an assessment is developed, a reporting system should be implemented to assist leadership and other interested parties in understanding security issues & gaps as well as current status regarding any on-going remediation efforts.
With the assessment in place, and a reporting system communicating and tracking progress. Top management should develop a reasonable and effective strategy for closing all security gaps.
The next step is to manage and remediate all issues by working with the internal teams, third-parties and leadership to achieve compliance.
Over time, continuously managing and improving all elements of security, will ultimately guide your company to a higher, consistent and repeatable security posture.
The ultimate goal is to achieve full compliance and provide continuous reporting to ensure on-going compliance.
Finally, your security process should include, at a minimum, the following operational and security domains of knowledge:
- Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
- Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
- Supply Chain Risk Management: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”
- Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
- Awareness and Training: The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security & Privacy: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance: Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
- Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
- Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.
- Security Continuous Monitoring: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
- Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
- Law Enforcement: Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
- Analysis: Analysis is conducted to ensure effective response and support recovery activities.
- Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
- Improvements: Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
- Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
- Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other Security Teams and vendors).
Unfortunately, we have leaders that did not perform an assessment calling us, after such a breach or security incident has happen.
“What happened? Are we responsible? Why did I get targeted?
We have to advise them, that the first step is always an assessment of the truth.
Please feel free to call and ask any and all questions you may have regarding Cyber Security.
Paul Scott 425-750-0760 paul@ascension-tg.com