Chapter 9

Determining and Establishing Cyber Security Functions

Abstract

We began this section of the book with an overview of the duties and responsibilities of the cyber security officer and then discussed establishing a cyber security program and the related cyber security plans and organization. We will continue the trend to narrow the focus: This chapter describes a process to determine what cyber security functions are needed to successfully establish a cyber security program and related organization, as well as how to incorporate those functions into the cyber security organization's day-to-day level-of-effort work.

Keywords

Access control systems; Business information; Corporate information; Cyber security officer; Firmware; Hardware; National security information; Personal/private information; Software; Valued information

Work is necessary for man. Man invented the alarm clock.

Pablo Picasso1

Chapter Objective
We began this section of the book with an overview of the duties and responsibilities of the cyber security officer and then discussed establishing a cyber security program and the related cyber security plans and organization. We will continue the trend to narrow the focus: This chapter describes a process to determine what cyber security functions are needed to successfully establish a cyber security program and related organization, as well as how to incorporate those functions into the cyber security organization’s day-to-day level-of-effort work.

Introduction

There are many different ways to configure a cyber security organization, and there are many ways to configure the cyber security functions that are part of that organization. Many cyber security officers begin establishing a cyber security organization, or “inherit” one, without looking at the need for the various functions and from where that need was derived. As stated earlier, all functions should be derived from one or more of the following requirements (drivers):
• Laws,
• Regulations,
• Best business practices,
• Best cyber security practices,
• Ethics,
• Privacy needs, and
• Corporate policies.
When developing or reorganizing a cyber security program, one can consider one of three basic structures as they relate to the cyber security program organization that the cyber security officer will manage and lead. The three basic options are:
• Centralized cyber security program organization under the cyber security officer,
• Decentralized organization throughout the corporation, or
• A combination of the two.
One of the major factors in deciding what philosophy and approach to take is the culture of the corporation, as well as the charter of the cyber security officer spelling out the cyber security officer’s duties and responsibilities. The cyber security officer must remember that the more centralized the organization, the more problems and work for the cyber security officer and staff. The old adage “If you want it done right, do it yourself” may work for some, but as a cyber security officer, that approach will bring you more stress than usual. In addition, you will definitely age exponentially. Developing and maintaining a protected information environment for the corporation require the support and active involvement of all employees. Sometimes a cyber security officer forgets that and tries to take on the entire protection matter instead of leading a corporate team effort. Such an approach leads to more problems than solutions for developing and maintaining a protected information environment.
So, what should you do? The best approach seems to be a combination. For example, this corporate cyber security officer decided that the overall information and information systems protection logically should be centralized under the cyber security officer and cyber security program staff. After all, they have the experience and know-how to lead this effort. However, at the same time, why get burdened with trying to write and maintain current cyber security program procedures that must be implemented by the departments to comply with those cyber security program policies? So, procedures written for compliance, as previously stated, will be the responsibility of the corporate departments. Their adequacy will be determined through audits, cyber security program tests and evaluations, noncompliance inquiries, and the like.
In addition, the corporate departments will be responsible for developing, implementing, and maintaining the processes that are an integral part of the procedures needed to comply with the cyber security program.

Processes

The cyber security officer must also develop procedures, functions, and processes to comply with the cyber security program policies, as an organizational manager. In addition, the cyber security officer must lead the effort to develop functions that the cyber security program organization will perform to lead and support the corporate cyber security program.
This cyber security officer decided that the best approach is through the drivers’ (cyber security program–cyber security program requirements) baseline. So, based on the drivers, one is then able to develop a “needs” statement or statements. These can be set forth in various ways, such as the vision, mission, and quality statements, and incorporated into plans, for example, strategic, tactical, and annual, as previously discussed. Regardless of how and in what form you state these needs for the cyber security program, they must support corporate plans, policies, objectives, and goals and must also eventually be tied to action items.
These action items are then analyzed and are implemented—for example, established as cyber security program functions that are then incorporated into the cyber security officer’s cyber security program organization as its charter of responsibilities and accountabilities, as stated in the previous chapter. One step to look at is the process. A process is basically “a series of actions directed toward a particular aim.”2 After the drivers and needs are identified, the cyber security officer must establish a process for meeting the identified requirements. The process is basically the details of how a function is to be performed.
The action items should be part of a formal project management program in which, as stated earlier, you, as the cyber security officer, determine that there is a need for some sort of cyber security program action that will take time and must be incorporated into the cyber security program organization. Remember, the project plans have:
• Objectives to accomplish,
• Beginning and ending dates,
• Tasks identified and assigned,
• Personnel assigned to tasks,
• Budget allocated, and
• Time allocated for completing those tasks.
There are many cyber security program-related functions; however, at this corporation, the cyber security officer determined that the functions identified in the cyber security officer’s charter were the main functions that were driven by or related to the baseline cyber security program. Therefore, they are the basic functions that should be established, and a flow process description should be developed relative to how the functions should be performed. For example3:
• Cyber security program requirements identification;
• Cyber security program plans, policies, processes, and procedures;
• Awareness education and training;
• Access control;
• Evaluation of hardware, firmware, and software for impact on the security of the information systems;
• Security tests and evaluations;
• Noncompliance inquiries;
• Risk management; and
• Disaster recovery/contingency planning.

Valuing Information

Before addressing the cyber security program functions, the cyber security officer determined that to provide an effective cyber security program with the least impact to cost and schedule, it is important to establish a process to determine the value of information.
The cyber security officer’s reasoning was that no information should be protected any more than is necessary. The rationale used by the cyber security officer was as follows:
The value of information is time dependent. In other words, information has value for only a certain period of time. Information relative to a new, unique corporate widget must be highly protected, and that includes the electronic drawings, diagrams, processes, etc. However, once the new widget is announced to the public, complete with photographs of the widget, selling price, etc., much of the protected information no longer needs protection.
That information, which once required protection to maintain the secrecy of this new widget, can now be eliminated. This will save money for the corporation because cyber security program costs are a parasite on the profits of the corporation. Those costs must be reduced or eliminated as soon as possible. It is the task of the cyber security officer and staff to continuously look for methods to accomplish this objective.

How to Determine the Value of Corporate Information

Determining the value of the corporation’s information is a very important task, but one that is seldom done with any systematic, logical approach by a company. However, the cyber security officer believed that to provide the program the corporation required, this task should be undertaken.
The consequences of not properly classifying the information could lead to overprotection, which is costly, or underprotection, which could lead to the loss of that information and thus of profits.
To determine the value of information, the cyber security officer must first understand what is meant by information and what is meant by value. The cyber security officer must also know how to properly categorize and classify the information, and what guidelines are set forth by government agencies or businesses for determining the value and protection requirements of that information. In addition, how the information owners perceive the information and its value is crucial to classifying4 it.

Why Is Determining Information Value Important?

If the information has value, it must be protected; protection is expensive. One should protect only that information which requires protection, only in the manner necessary based on the value of that information, and only for the period required.

The Value of Information

One might ask, “Does all the information of a company or government agency have value?” If you, as the corporate cyber security officer, were asked that question, what would be your response? The follow-on question would be “What information does not have value?” Is it that information which the receiver of the information determines has no value? When the originator of the information says so? Who determines whether information has value?
These are questions that the cyber security officer must ask—and answer—before trying to establish a process to set a value to any information. As you read through this material, think about the information where you work, how it is protected, why it is protected, etc.
The cyber security officer knows that a centralized approach would not work for valuing information, as every piece of information must be analyzed according to a specific criterion, identified according to a certain protective category, such as corporate-sensitive, and then marked and protected accordingly. The cyber security officer knew that the best approach was to set the criteria and guidelines for the identification, marking, transmission, storage, and destruction of corporate information and have the information owners identify the information that they produce and, following the policy guidelines in the cyber security program, protect that information. Those criteria and requirements would be developed as part of the cyber security officer’s project team, which would also include various department representatives, such as manufacturing, procurement, legal, security, finance, and planning.
The holder of the information may determine the value of the information. Each person places a value on the information in his or her possession. The information that is necessary to successfully complete a person’s work is very valuable to that person; however, it may not be very valuable to anyone else. For example, to an accountant, the accounts payable records are very important, and without them, the accountants could not do their job. However, for the person manufacturing the company’s product, that information has little or no value.
Ordinarily, the originator determines the value of the information, and that person categorizes or classifies that information, usually in accordance with the established guidelines.

Three Basic Categories of Information

Although there are no standard categories of information, most people agree that information can logically be categorized into three categories:
• Personal, private information;
• National security (both classified and unclassified) information (addressed in Chapter 12); and
• Business information.
Personal, private information is an individual matter, but also a matter for the government and businesses. People may want to keep private such information about themselves as their age, weight, address, cellular phone number, salary, and likes and dislikes.
At the same time, many countries have laws that protect information under some type of “privacy act.” In businesses and government agencies, it is a matter of policy to safeguard certain information about employees, such as their ages, addresses, and salaries. Therefore, this requirement (cyber security program driver) must be considered in developing the information value and protection policy and guidelines.
Although the information is personal to the individual, others may require that information. At the same time, they have an obligation to protect that information because it is considered to have value.
Business information also requires protection based on its value. At this corporation, this information was sometimes categorized as follows:
• Corporate–confidential,
• Corporate–internal use only,
• Corporate–private,
• Corporate–sensitive,
• Corporate–proprietary, and
• Corporate trade secret.
The number of categories used will vary with each company; however, the fewer categories, the fewer problems in classifying information and also, possibly, the fewer problems in the granularity of protection required. Again, this is a cost-item consideration. The cyber security officer found that private, internal use only, and proprietary would meet the needs of the cyber security program.
This company information must be protected because it has value to the company. The degree of protection required is also dependent on the value of the information during a specific period of time.

Types of Valued Information

Generally, the types of information that have value to the business and that require protection include the following: All forms and types of financial, scientific, technical, economic, or engineering information, including, but not limited to, data, plans, tools, mechanisms, compounds, formulas, designs, prototypes, processes, procedures, programs, codes, or commercial strategies, whether tangible or intangible, and whether stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.
Examples of information requiring protection may include research, proposals, plans, manufacturing processes, pricing, and product.

Determining Information Value

Based on an understanding of information, its value, and some practical and philosophical thoughts on the topic as stated above, the cyber security officer must have some sense of what must be considered when determining the value of information.
When determining the value of information, the cyber security officer must determine what it cost to produce that information. Also to be considered is the cost in terms of damages caused to the company if it were to be released outside protected channels. Additional consideration must be given to the cost of maintaining and protecting that information. How these processes are combined determines the value of the information. Again, don’t forget to factor in the time element.
There are two basic assumptions to consider in determining the value of information: (1) All information costs some type of resource(s) to produce, for example, money, hours, or use of equipment; and (2) not all information can cause damage if released outside protected channels.
If the information costs to produce (and all information does) and no damage is done if it is released, you must consider, “Does it still have value?” If it costs to produce the information, but it cannot cause damage if it is released outside protected channels, then why protect it?
The time factor is a key element in determining the value of information and cannot be overemphasized. Let’s look at an example in which information is not time dependent—or is it? There is a company picnic to take place on May 22, 2016. What is the value of the information before, on, or after that date? Does the information have value? To whom? When?
If you’re looking forward to the company’s annual picnic, as is your family, the information as to when and where it is to take place has some value to you. Suppose you found out about it the day after it happened. Your family would be disappointed, they would be angry at you for not knowing, you would feel bad, etc. To the company, the information had “no value.” However, the fact that the employee did not receive that information caused him or her to be disgruntled and blame the company for his or her latest family fight. Based on that, the employee decided to slow down his or her productivity for a week.
This is a simple illustration, but it indicates the value of information depending on who has and who does not have that information, as well as the time element. It also shows that what is thought to be information not worth a second thought may have repercussions costing more than the value of the information.
The following is another example: A new, secret, revolutionary widget built to compete in a very competitive marketplace is to enter the market on January 1, 2017. What is the value of that information on January 2, 2016?
Again, to stress the point, one must consider the cost to produce the information and the damage done if that information were released.
If it cost to produce and can cause damage if released, it must be protected. If it cost to produce, but cannot cause damage if released, then why protect it? At the same time, be sensitive to dissemination. Information, to have value, to be useful, must get to the right people at the right time.

Business Information Types and Examples

Types of internal use only information:
• Not generally known outside the company,
• Not generally known through product inspection,
• Possibly useful to a competitor, and
• Provides some business advantage over competitors.
Examples are the company telephone book, company policies and procedures, and company organizational charts.
Types of private information:
• Reveals technical or financial aspects of the company,
• Indicates the company’s future direction,
• Describes portions of the company’s business,
• Provides a competitive edge, and
• Identifies personal information of employees.
Examples are personnel medical records, salary information, cost data, short-term marketing plans, and dates for unannounced events.
Types of sensitive information:
• Provides significant competitive advantage,
• Could cause serious damage to the company, and
• Reveals long-term company direction.
Examples are critical company technologies, critical engineering processes, and critical cost data.

Questions to Ask When Determining Value

When determining the value of your information, you should, as a minimum, ask the following questions:
• How much does it cost to produce?
• How much does it cost to replace?
• What would happen if I no longer had that information?
• What would happen if my closest competitor had that information?
• Is protection of the information required by law, and if so, what would happen if I didn’t protect it?

International Widget Corporation (IWC) Cyber Security Program Functions Process Development

The cyber security officer has learned that the development of a new cyber security program requires the establishment of cyber security program functions for that program. Establishing a process for each function, as the first task, will assist in ensuring that the functions will begin in a logical, systematic way that will lead to a cost-effective cyber security program.

Requirements Identification Function

As previously stated, the cyber security officer has determined that the driver for any cyber security program-related function is the requirements for that function. The requirements are the reason for the cyber security program. This need is further identified and defined and is subsequently met by the establishment of the cyber security program functions.
So, to begin the functions’ process identification, it is important to understand where the requirement—where the need—comes from as seen from a slightly different perspective.5 For this corporation, it is as follows:
• A need for a cyber security program as stated by executive management to protect the corporation’s competitive edge, which is based on information systems and the information that they store, process, display, and transmit;
• Contractual requirements as specified in contracts with customers, such as protecting customers’ information;
• Contractual requirements as specified in contracts with subcontractors, such as protecting subcontractors’ information;
• Contractual requirements as specified in contracts with vendors, such as protecting vendors’ information;
• Corporate’s desire to protect its information and systems from unauthorized access by customers, subcontractors, and vendors; and
• Federal, state, and local laws that are applicable to the corporation, such as requirements to protect the privacy rights of individuals and corporations as they relate to the information stored, processed, and transmitted by IWC systems.

Cyber Security Officer’s Cyber Security Program Functions

The cyber security officer has gone through the process previously noted to identify the baseline functions that are needed within the cyber security program organization to support the cyber security program, which as mentioned earlier supports business needs as stated in the strategic, tactical, and annual business plans. The following paragraphs identify, describe, and discuss some of the functions identified by the cyber security officer.

Awareness Program

The cyber security officer decided to concentrate, as a high priority, on the cyber security program Education Awareness and Training Program (EATP) as a major cyber security program organizational function and also as an integral part of the cyber security program. The EATP was needed to make the users aware of the need, as well as their responsibility, to protect information and systems, as well as to gain the users’ support in the protection of information and systems.
The cyber security officer reasoned that once the policies of the cyber security program were developed and published, the employees must be made aware of them and also why they were necessary. For only with the full support and cooperation of the employees, could a successful cyber security program be established and maintained.
The awareness program process was broken into two major parts:
• Awareness briefings and
• Continuing awareness material.

Awareness Briefings

The awareness briefings included information relative to the need for information and systems protection, the impact of protecting and not protecting the systems and information, and an explanation of the cyber security program.
The cyber security officer reasoned that the awareness material and briefings, when given as a general briefing, could be used only for new employees. The general briefings failed to provide the specific information required by various groups of systems users. Thus, the awareness briefings were tailored to specific audiences as follows:
• All new hires, whether or not they used a system, the rationale being that they all handle information and come in contact with computer and telecommunication systems in one form or another;
• Managers;
• System users;
• Information Technology Department personnel;
• Engineers;
• Manufacturers;
• Accounting and Finance personnel;
• Procurement personnel;
• Human Resources personnel;
• Security and Audit personnel; and
• The system security custodians (those who would be given day-to-day responsibility to ensure that the systems and information were protected in accordance with the cyber security program policy and procedures).
A process was established to identify these personnel, input their profile information into a database, and, using a standard format, track their awareness briefing attendance at both their initial briefings and their annual rebriefings. That information would also be used to provide them, through the IWC mail system, with awareness material.

Continuing Awareness Material

The cyber security officer, in concert with the Human Resources and Training staffs, decided that ensuring that employees were aware of their cyber security program responsibilities would require constant reminders. After all, information and systems protection is not the major function of most employees. However, a way must be found to remind the employees that it is a part of their function.
It was decided that awareness material could be cost-effectively provided to the employees. This was accomplished by providing cyber security program material to the employees through:
• Annual calendars,
• Posters,
• Labels for systems and disks,
• Articles published in the corporate publications such as the weekly newsletter, and
• Log-on notices and system broadcast messages, especially of cyber security program changes.
Although this EATP baseline was not all-inclusive, the cyber security officer believed that it was a good start that could be analyzed for cost-effective improvements at the end of the calendar year.

Access Control and Access Control Systems

The cyber security officer determined that the access control and access control systems ranked as a high priority in establishing processes for the control of access to systems, as well as the access to the information stored, processed, and transmitted by those systems. Therefore, access controls were divided into two sections:
• Access to systems and
• Access to the information on the systems.
The cyber security officer reasoned that each department created and used the corporate systems and their information. Therefore, they should be responsible for controlling access to those systems and information.
The major systems, such as the corporate-wide area network, were owned and operated by the IT Department, while individual systems and local area networks (LANs) were owned and operated by the individual departments.
As part of the cyber security program, the corporation, in coordination with other departments’ managers, established a process for all employees who required access to the systems to perform their job functions. Such employees would have to obtain system access approval from their manager and from the manager or designated representative of that system and/or the information owner, such as for financial database access. The owners’ approval was based on a justified need for access as stated by the employee’s manager. If the system and/or information owners agreed, access was granted.
The cyber security officer had found, during the initial evaluation of the cyber security program of the corporation, that departments had logically grouped their information into categories. They had done so to control access to their own files. This made it easy for the security officer, because the managers of the departments agreed that once access to systems was granted by the system owners, access to the information on those systems should be approved by the owners of those groups of files, databases, etc.
Thus, the access control process included a justification by an employee’s manager stating not only what systems, and why, the employee needed access to, but also what information he or she required access to in order to perform his or her job.
For the most part, this was an easy and logical process. For example, in the Accounting Department, personnel generally had access to the groups of files and databases based on their job functions—accounts payable, accounts receivable, etc.
This access control process helped maintain an audit trail of who approved access to whom and for what purposes. It also helped provide a separation of functions that is a vital component of any cyber security program. For example, an accounts payable person should not also be the accounts receivable person and the invoice processing person. Such a system would allow one person too much control over a process that can be—and has been—used for committing fraud.
The benefits of the foregoing process to the cyber security officer were that it documented an informal process that for the most part had been in place, and it also placed cyber security program responsibilities for systems and information access exactly where it belonged, with the identified owners of the systems and information.
In one instance, a cyber security officer found that one manager did not want to take responsibility for a LAN in the department, and since others outside the department used the information, the manager did not want to take ownership of the information. The manager thought the IT Department should be the owner—after all, they were responsible for the maintenance of the system.
The cyber security officer in this case asked the manager if the cyber security officer could then be responsible as the owner of the systems and the information. The manager quickly agreed. The cyber security officer then told the manager that since it was now owned by the cyber security program organization, access to the systems and information would be denied to all those not in the cyber security program organization.
The manager objected, stating that the personnel in his organization needed access to those systems and their information to perform their job functions. After further discussion, the organizational manager agreed that his organization would appear to be the logical owners and subsequently accepted that responsibility.

Access Control Systems

The cyber security officer, in coordination with the IT, Security, and Audit Departments, determined that the access control systems (hardware and software) belonged to the same departments and organizations identified as the system owners. However, the cyber security program personnel would establish the detailed procedures for the access control systems and the auditors would evaluate compliance with those procedures.
The system owners agreed to this process and also to appointing a primary and alternate system custodian who would be responsible for ensuring that the cyber security program policies and procedures were followed by all those who used the systems. In addition, the custodian would review the system audit trails, which were mandatory on all corporate systems.6

Evaluation of All Hardware, Firmware, and Software

All new hardware, firmware, and software should be evaluated for its impact on the security of information and systems. This was determined to be necessary in a joint agreement between the cyber security officer and the IT Department personnel, auditors, and security personnel.
To perform this function with minimal impact on cost and installation schedules, it was determined that a baseline checklist would be developed and that this checklist would be completed by the suppliers of the product, in concert with the cyber security program staff. Any items that adversely affected the cyber security program would be evaluated based on a risk assessment, using the approved risk management and reporting process.
The process included completion of the baseline cyber security program checklist and a technical evaluation by cyber security program personnel in concert with IT personnel. If the item (hardware, software, etc.) was considered risk-acceptable, it was approved for purchase.
If the item was not risk-acceptable, the risk management process identified countermeasures. Although this process generally approves the purchase of almost all items, some items might have an unacceptable level of risk, but would still be accepted because of their value to the company. In those instances, special audit trails could be created to monitor the use of the item. In any case, the cyber security officer understood that it is always better at least to know that a system is vulnerable than not to know the vulnerability existed until it was too late.
The cyber security officer identified the several potential processes relative to new, modified, or upgraded systems’ hardware, software, and firmware implementation in which the protection of information and information systems could be subject to increased vulnerabilities. The cyber security officer decided to form a project team to evaluate these and other processes. The project team would include the cyber security officer’s staff specialist as the project lead, as well as IT representatives, department representatives, a procurement representative, a contracts representative, and a legal representative. These representatives were chosen for the following reasons:
• IT: They are responsible for the major systems, such as intranets and Internet interfaces.
• Departments: They are responsible for their own stand-alone systems, such as microcomputers, and for their own LANs that are not connected outside the department.
• Procurement: They are responsible for ordering the hardware, software, and firmware.
• Contracts: They, based on cyber security officer coordination, include cyber security program-related specifications and clauses in the corporate contracts, such as software from a vendor certified free of malicious codes. Furthermore, if a product is vulnerable or increases the systems’ vulnerabilities, the contract may call for the vendor to patch the software or provide the source code for programmers to patch the code.
• Legal: They are responsible for ensuring that all issues related to contracts and procurement matters mandating cyber security program criteria are stated in such a way as to ensure their enforcement through legal means.

Risk Management Program

The objective of the risk management program is to maximize security and minimize cost through risk management.

What Is Risk Management?

Because it is the baseline for all of the cyber security officer’s decisions relative to information and systems protection, the cyber security officer decided to formalize the function of risk management as an integral part of the cyber security program and the cyber security program organization.
The cyber security officer knew that for corporate employees, especially management, to understand the philosophy behind how cyber security program-related decisions were made, they should have some basic grasp of the risk management philosophy. Thus, the cyber security officer directed that this topic be an integral part of the cyber security program and EATP. The cyber security officer knew that to understand the risk management methodology, one must first understand what risk management means. The cyber security officer defined risk management as the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk assessments; risk analyses, including cost–benefit analyses; target selection; implementation and testing; security evaluation of safeguards; and overall cyber security program review.
The cyber security officer established the objective of the risk management process as follows: to provide the best protection of systems and the information they store, process, display, and/or transmit at the lowest cost consistent with the value of the systems and the information.

Risk Management Process

Remember that the cyber security program is a corporate program made up of professionals who provide service and support to their company. Therefore, the risk management process must be based on the needs of customers.
Also, the cyber security officer wanted to be sure that the risk management concepts, program, and processes were informally and formally used in all aspects of the cyber security program, including when and how to do awareness briefings and the impact of information systems security policies and procedures on the employees.
The following steps should be considered in the cyber security officer’s process:
1. Management interest: Identify areas that are of major interest to executive management and customers; approach from a business point of view. So, the process should begin with interviews of your internal customers to determine what areas of the cyber security program are adversely affecting their operations the most. Then, target those areas first as the starting point for the risk management program.
2. Identify specific targets: Software applications, hardware, telecommunications, electronic media storage, etc.
3. Identify input sources: Users, system administrators, auditors, security officers, technical journals, technical bulletins, risk assessment application programs, etc.
4. Identify potential threats: Internal and external, natural or human-made.
5. Identify vulnerabilities: Through interviews, experience, history, testing.
6. Identify risks: Match threats to vulnerabilities with existing countermeasures, verify, and validate.
7. Assess risks: Acceptable or not acceptable, identify residual risk, and then certify the process and gain approval. If the risks are not acceptable, then:
Identify countermeasures,
Identify each countermeasure’s costs, and
Compare countermeasures, risks, and costs to mitigated risks.

Recommendations to Management

When the risk assessment is completed, the cyber security officer must make recommendations to management. Remember in making recommendations to think from a business point of view: cost, benefits, profits, public relations, etc.

Risk Management Reports

A briefing that includes a formal, written report is the vehicle to bring the risks to management’s attention. The report should include areas identified that need improvement, areas that are performing well, and recommended actions for improvement, including costs and benefits.
Remember that it is management’s decision to either accept the risk or mitigate the risk and how much to spend to do so. The cyber security officer is the specialist, the in-house consultant. It is management’s responsibility to decide what to do. They may follow your recommendations, ignore them, or take some other action. In any case, the cyber security officer has provided the service and support required.
If the decision is made that no action will be taken, there is still a benefit to conducting the analyses. The cyber security officer now has a better understanding of the environment, as well as an understanding of some of the vulnerabilities. This information will still help in managing a cyber security program. The cyber security officer has developed a risk management process to be used as an overall baseline for implementation as part of the risk management philosophy of the corporation.

Security Tests and Evaluations Program

The cyber security officer saw the need for a security tests and evaluations program (ST&E) once the cyber security program processes of awareness, access control, and risk management were implemented.
The ST&E was developed to incorporate testing and evaluating of the total cyber security program processes, environments, hardware, software, and firmware as a proactive method to support risk assessments and the evaluation of the systems’ components.
The cyber security officer believed that the auditors’ compliance audits were more of a checklist process of ensuring compliance with the corporate cyber security program policies and procedures. What was needed, the cyber security officer reasoned, was a way to actually test cyber security program processes, systems, etc., to determine whether they were meeting the cyber security program needs of the corporation—regardless of whether they complied with the cyber security program policies and procedures.
For example, the ST&E would include periodically obtaining a user ID on a system with various access privileges. The cyber security program staff member using that identification would violate that system and attempt to gain unauthorized access to various files, databases, and systems. That information was analyzed in concert with a comparison of the system’s audit trails, thus profiling the cyber security program of a system or network. Also, the ST&E would include a review of records and prior audit trail documents to help establish the “cyber security program environment” being tested and evaluated.

Noncompliance Inquiries

Noncompliance inquiries (NCIs) were identified as a cyber security officer responsibility and the process was developed by the cyber security program staff and coordinated with the audit and security management. The NCI process was as follows:
• Receive allegations of noncompliance by auditors, security personnel, managers, users, and generally anyone else.
• The allegation was evaluated and, if not considered acceptable, filed.7
• If the allegation was substantiated, an inquiry was conducted. The inquiry included interviews, technical reviews, document reviews, etc.
• The information gathered was analyzed, collated, and provided in a formal report to management with copies to appropriate departments such as security and human resources.
• The report was protected for reasons of privacy and also included recommendations and trend analyses to mitigate future occurrences.

Contingency and Emergency Planning and Disaster Recovery Program

A contingency and emergency planning and disaster recovery (CEP-DR) program is one of the least difficult programs to establish and yet always seems to be a difficult task. With the change in information systems’ environments and configurations—client–server, LAN, distributed processing, etc.—this problem may be getting worse.
Prior to discussing CEP-DR, it is important to understand why it is needed. It is really a very important aspect of a cyber security program and may even be its most vital part.
The cyber security officer must remember that the purpose of the cyber security program is to:
• Minimize the probability of a security vulnerability,
• Minimize the damage if a vulnerability is exploited, and
Provide a method to recover efficiently and effectively from the damage.

What Is It?

Contingency planning is making a plan for responding to emergencies, running backup operations, and recovering after a disaster. It addresses what action will be taken to return to normal operations. Emergencies requiring action would include such natural events as floods and earthquakes, as well as human-caused acts such as fires or hacker attacks causing denial of services.
Disaster recovery is the restoration of the information systems, facility, or other related assets following a significant disruption of services.

Why Do It?

Primarily users often ask the question, why is a CEP-DR program necessary? Everyone associated with using, protecting, and maintaining information systems and the information that they store, process, and/or transmit must understand the need for such a program:
• To assist in protecting vital information,
• To minimize adverse impact on productivity, and
• To support the business staying in business!

How Do You Do It?

Each CEP-DR program is unique to the environment, culture, and philosophy of each business or government agency. However, the basic program, regardless of business or agency, requires the development and maintenance of a CEP-DR plan. It must be periodically tested, problems identified and corrected, and processes changed to minimize the chances of adverse events happening again.

The CEP-DR Planning System

The corporation’s CEP-DR plan must be written based on the standard format used by the corporation. The following generic format is offered for consideration:
1. Purpose: State the reason for the plan and its objective. This should be specific enough that it is clear to all who read it why it has been written.
2. Scope: State the scope and applicability of the plan. Does it include all systems, all locations, subcontractors?
3. Assumptions: State the priorities, the support promised, and the incidents to be included and excluded. For example, if your area does not have typhoons, will you assume that typhoons, as a potential disaster threat, will not be considered?
4. Responsibilities: State who is to be responsible for taking what actions. This should be stated clearly so everyone knows who is responsible for what. Consider a generic breakdown such as managers, systems administrators, and users. Also, specific authority and responsibility should be listed by a person’s title and not necessarily by that person’s name. This approach will save time in updating the plan because of personnel changes.
5. Strategy: Discuss backup requirements and how often they should be accomplished based on classification of information; state how you will recover, etc.
6. Personnel: Maintain an accurate, complete, and current list of key CEP-DR personnel, including addresses, phone numbers, page numbers, and cellular phone numbers. Be sure to establish an emergency prioritized, notification listing and a listing of response team members and how to contact them in an emergency.
7. Information: Maintain an on-site inventory listing and an off-site inventory listing; identify the rotation process to ensure a history and current inventory of files. Identify vital information. This information must come from the owner of that information and must be classified according to its importance, based on approved guidelines.
8. Hardware: Maintain an inventory listing, including supplier’s name, serial number, and property identification number; ensure that emergency replacement contracts are in place; maintain hard copies of applicable documents on and off site.
9. Software: Identify and maintain backup operating systems and application systems software. This should include original software and at least one backup copy of each. Be sure to identify the version numbers, etc. In this way, you can compare what is listed in the plan with what is actually installed. It would not be a unique event if software backups were not kept current and compatible with the hardware. If this is the case, the systems might not be able to work together to process, store, and transmit much-needed information.
10. Documentation: All-important documentation should be identified, listed, inventoried, and maintained current in both on- and off-site locations.
11. Telecommunications: The identification and maintenance of telecommunications hardware and software listings are vital if you are operating in any type of network environment. Many systems today cannot operate in a stand-alone configuration; thus, the telecommunications lines, backups, schematics, etc., are of vital importance to getting back in operation within the time period required. As with other documentation, their identification, listing, etc., should be maintained at multiple on- and off-site locations. Be sure to identify all emergency requirements and all alternative communication methods.
12. Supplies: Supplies are often forgotten when establishing a CEP-DR plan, as they often take a back seat to hardware and software. However, listing and maintenance of vital supplies are required, including the name, address, telephone numbers, and contract information concerning suppliers. Be sure to store sufficient quantities at appropriate locations on and off site. If you don’t think this is an important matter, try using a printer when its toner cartridge has dried out or is empty!.
    Physical supplies for consideration should include plastic tarps to protect systems from water damage in the event of a fire in which sprinkler systems are activated
13. Transportation and equipment: If you have a disaster or emergency requiring the use of a backup facility or obtaining backup copies of software, etc., you obviously must have transportation and the applicable equipment (e.g., a dolly for hauling heavy items) to do the job. Therefore, you must plan for such things. List emergency transportation needs and sources, how you will obtain emergency transportation and equipment, and which routes and alternate routes to take to the off-site location. Be sure to include maps in the vehicles and also in the plan. Be sure there are fully charged, hand-held fire extinguishers available that will work on various types of fires, such as electrical, paper, or chemical.
14. Processing locations: Many businesses and agencies sign contractual agreements to ensure that they have an appropriate off-site location to be used in the event their facility is not capable of supporting their activities.
    Ensure that emergency processing agreements are in place that will provide you with priority service and support in the event of an emergency or disaster. Even then, you may have a difficult time using the facility if it is a massive disaster and others have also contracted for the facility.
    Be sure to periodically use the facility to ensure that you can process, store, and/or transmit information at that location. Don’t forget to identify on-site locations that can be used or converted for use if the disaster is less than total.
15. Utilities: Identify on-site and off-site emergency power needs and locations. Don’t forget that these requirements change as facilities, equipment, and hardware change. Battery power and uninterruptable power might not be able to carry the load or might be too old to even work. They must be periodically tested. As with the printer cartridge supplies, systems without power are useless. In addition to power, don’t forget the air conditioning requirements. It would be important to know how long a system can process without air conditioning based on certain temperature and humidity readings.
16. Documentation: Identify all related documentation; store it in multiple on- and off-site locations, and be sure to include the CEP-DR plan.
17. Other: Miscellaneous items not covered above.

Test the Plan

Only through testing can the cyber security officer determine that a plan will work when required. Therefore, it must be periodically tested. It need not be tested all at once, because that would probably cause a loss of productivity by the employees, which would not be cost-effective.
It is best to test the plan in increments, relying on all the pieces to fit together when all parts have been tested. Regardless of when and how you test the plan, which is a management decision, it must be tested. Probably the best way to determine how and what to test, and in what order, is to prioritize testing based on prioritized assets.
When testing, the scenarios used should be as realistic as possible. This should include emergency response, testing backup applications and systems, and recovery operations.
Through testing, document the problems and vulnerabilities identified. Determine why they occurred and establish formal projects to fix each problem. Additionally, make whatever cost-effective process changes are necessary to ensure that the same problem would not happen again or that the chance of it happening is minimized.
The cyber security officer evaluated the corporate organizational structure relative to the corporation. After coordination with the Director of Security, a process was developed to integrate the cyber security officer and staff into the current CEP-DR process.

Questions to Consider

Based on what you have read, consider the following questions and how you would reply to them:
• Do you believe that the basic requirements—drivers—discussed in this chapter are valid?
• Can you think of others that you would use as a cyber security officer?
• After the requirements are identified, in what order would you prioritize policies, procedures, plans, processes, functions, and processes?
• Why did you decide to prioritize each in the order noted?
• Do you have a process in place for valuing company information?
• If not, how do you know what to protect in a cost-effective manner?
• If you have such a process in place, is it current?
• Is it working?
• How do you know it is working cost-effectively?
• What are the functions that you as a cyber security officer believe are required to be a part of your cyber security program organization?
• Which ones are optional, and why?
• Which ones would never be authorized by management to be part of your cyber security program responsibilities?
• Do you use a formal, documented risk management philosophy?
• If not, how do you cost-effectively make cyber security program decisions?
• If so, is that philosophy shared with the employees so they can understand why certain cyber security program decisions are made?
• Are you an integral part of the company’s CEP-DR processes?
• If not, should you be?
• If so, are you involved in testing the CEP-DR plans?
• After an emergency or disaster, are you involved in verifying and validating that all the security hardware, software, and firmware are operating in accordance with the cyber security program and security specifications?
• If not, how would you know they were even turned back on by IT personnel after the systems went offline and were brought back online again?

Summary

It is crucial for a cyber security officer who is new to the corporation to evaluate the current cyber security program organizational structure, the staff, and their experience and education and ensure the organization is cost-effectively structured. The cyber security officer should consider the following points:
• Establishing the proper cyber security program functions in the right priority order is vital to establishing the cyber security program organization and cyber security program baseline.
• The cyber security program functional processes should generally follow the function descriptions noted in the cyber security officer’s charter of responsibilities.
• Establishing a process to determine the categories of information identified by the general value of that information would assist in the development of a cost-effective cyber security program.
• Functions and processes should be developed based on requirements such as laws and regulations.
• Flowcharts should be developed to help visualize the linkage between requirements; plans; vision, mission, and quality statements; policies; processes; and functions.

1 Attributed to Pablo Picasso (1881–1973), Spanish painter and sculptor. Microsoft’s Encarta Dictionary.

2 Encarta World English Dictionary, ©1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

3 Others can be added, but these basic examples give the reader a good idea of what is needed.

4 In the context used here, the term classify has nothing to do with classification as it relates to national security information, such as confidential, secret, and top secret.

5 You may find that this driver–requirement, cyber security program–cyber security program functions topic is redundant. Ideally, it is, and you are beginning to get it ingrained in your cyber security officer head that these are the basics that every cyber security officer should know and use as the baseline for leading and managing an information and systems protection program for a company or government agency. I hope that after reading this book, certain basic philosophies, such as the fact that the cyber security program is a parasite on the profits, will be made an automatic part of any cyber security type of program and cyber security program organization you will lead and manage.

6 At first, the audit trails requirements were to be applied only to those systems processing sensitive information; however, it was quickly discovered that all the systems, because of their networking, fell under that category. Management agreed that the additional cost of such a requirement was beneficial based on the risk of loss of that information to internal or external threats.

7 The cyber security officer was sensitive to privacy issues and did not want to initiate an inquiry without substantiated information, since someone may have a grudge against another and use the process to harass him or her.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.139.245