CHAPTER 13: IMPLEMENTATION OF SECURITY MEASURES
‘The CEO must make it clear that security is not just an IT problem – it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.’17 – John Chambers
One of the results of a risk assessment should be distinguishing risks of different levels. The easiest way is to use a three-level scale to assess risks (high, medium, low). Whether and how the level of each risk could be reduced should also be assessed. One option is to implement extra security measures.
Not many extra security measures should emerge if a high-level risk assessment method was used. However, if the critical infrastructure service provider has used a detailed risk assessment method, hundreds of extra security measures may appear to be necessary. The resource-intensive detailed risk assessment method may be necessary in some specific, narrow areas, but most likely not for the whole organisation. An alternative solution would be to use baseline security methods, which help achieve considerable results faster if skilfully implemented.
Considering the complexity of today’s information systems, protecting the whole company’s information systems and the associated environment needs considerable effort and many security measures.
Which security measures should they be and where can they be obtained? Who should decide which security measures to apply and at which level?
Here are three options in the context of CII:
1. The critical infrastructure service provider decides which security measures it applies to protect the information systems needed by the critical infrastructure service. The state does not establish any rules regarding the guarantee of cyber security.
The critical infrastructure service provider should consider the service levels described above and agreed on between the relevant parties. They must also be considered in guaranteeing the availability, integrity and confidentiality of information systems.
2. The state advises setting a standard as the basis for protecting the relevant information systems. Compliance with this standard is not mandatory and it is not made mandatory with any regulations.
3. The state establishes some mandatory standards. These should be the minimum standards that critical infrastructure service providers must meet. The critical service provider must also decide whether and which standards it will use, and which extra security measures it will implement to guarantee the security of information systems and the associated environment.
Depending on the state, all the above options might be used. One option suits one state, whereas another may be better for a different country. The success of any particular system will depend on a range of factors, especially including how the entire system is structured.
A plan to implement security measures should be created at the level of the company after a cyber security standard has been chosen. Some measures will be important and can be quickly applied, whereas other important measures need more planning, expertise and resources. Someone should be appointed to implement each security measure and the status of the implementation should be checked at intervals.
Lesson 13: Implement the necessary security measures.