Cybersecurity Plan

Writing a basic security plan is a must for all businesses, regardless of size. For small businesses, an essential security plan will take a few hours to draft (8 to 10 hours), and write up an inventory list (2 or 4 hours), and after that come up with relevant checklists to update and recovery should take you a few more hours (4 or 5 hours).

Note: Writing relevant information security policies, procedures, and processes draft-documentations to satisfy ISO 27001 requirement is no proportional to the size of your organization and will take a few dedicated days (4 or 5 days), and few weeks to refine.

Here’s how a small business builds its working cyber security plan. Large companies have more complex needs requiring a more sophisticated strategy and beyond the context of this article, contact me with you need assistance with your needs.

You don’t need to be an IT security expert to get the job done. If you can run an application like LibreOffice to edit a document and browse the web, you already know enough to protect your organization at a basic level, no black magic involved. Investing in cybersecurity delivers a considerable return on investment, always. Using the FCC Cyber Security Planning Guide, you can create a simple cybersecurity plan for your organization. The first draft of your cyber security plan doesn’t have to win a Pushcart Prize award, but make sure that it’s not a Flannery O’Connor Award For Short Fiction. It does it need to run hundreds of pages with chapters of fine details. Your plan needs to outline the threats you likely face, establish sound policies, procedures, and processes, with clear responsibilities for taking action.

The best security plans are simple, but they demand that everyone involved be proactive and vigilant about security. Everyone concerned should take note of which policies, processes, and procedures are working and which need to be polished, changed, or just thrown out. It’s all about involving everyone and validating your collective knowledge required to be in charge of your cyber security.

Identify and understand your risk, start by listing all your digital assets, such as emails, work files, financial records, employee information, business and project plans, schedules, clients’ data, contracts, and any other information you want to protect.

Before you can protect anything, it is essential to figure out how to achieve your goals by taking inventory of all your assets that contribute to your business and security. For many companies, this may include objectives such as:

  • Protecting your all your data, like:
    • Customer sales records
    • Customer credit card transactions
    • Customer mailing and email lists
    • Customer support information
    • Customer warranty information
    • Patient health or medical records
    • Employee payroll records
    • Employee email lists
    • Employee health and medical records
    • Business and personal financial records
    • Marketing plans
    • Business leads and inquiries
    • Product design and development plans
    • Legal, tax and financial correspondence
  • Meeting your regulatory and legislative obligations;
  • Show your suppliers and clients that you are proactive with your security, implementing and complying with best of bread standards from the ISO, NIST, and many others.

List your employees and allocate a cyber security task to every person: for example,

  • Responsible for overall cyber security, Information Security Officer;
  • Accountable for all security-led technical changes, the person most comfortable with software and hardware;
  • Responsible for scheduling and managing updates and checks, everyone with a team leader.
  • Moreover, everyone must acknowledge that they are liable for ensuring they understand the risks such as email scam and malware threats, and the need to be vigilant while in cyberspace.

Other things you have to account for with your cybersecurity policies, procedures, and processes like:

  • Accidental damage, like dropping a tablet and breaking the screen,
  • Technical failure, such as the death of a vital server,
  • Natural disasters such as earthquake, flood, and fire,
  • Crime, like, a break-in at your premises,
  • External risks like malware attacks and industrial espionage,
  • Employee negligence, such as unintentional file deletion,
  • Employee misconduct, like, stealing customer data.

Using NIST SP 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations you can formalize your security controls to help you manage your risks and figure out which people will manger those risks best. NIST SP 800-53 and ISO 27002 will help you decide everything you need to make necessary plans about how to select controls to mitigate the risks. If you are a Microsoft Windows user, in your efforts to detect, update, recover, and practice safe computing your controls might include things like:

  • Ensure that all our mail gets swept for viruses, archived, and kept secure;
  • Use digital signature and encryption certificates
  • Encrypting and moving your data to a central file server;
  • Stop staff from storing information on their local computers;
  • Backup vital encrypted data every day, with local copies and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Encrypt and store critical customer and business information locally and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Use TNO computing (Trust No One, segmentation networking) where only people working on a given project will have access to that project’s files;
  • Enforce TNO computing and restrict access to business information like clients’ accounts and payroll to need to know only;
  • Set BitLocker or GNU Privacy Guard or AxCrypt on all your computers to protect your data against loss or theft;
  • Security-marking every piece of equipment (PC, server, laptop, tablet, mobile phone, and so on);
  • Have a third party conduct an annual audit of your physical security, locks, and alarms;
  • Update your security policies, procedures, and processes yearly and train all new staff, without exception;
  • Hold a refresher course to ensure everyone in the company is familiar with security policies, procedures, and processes changes;
  • Spot-check regularly to ensure staff take security seriously and follow established protocols.

It’s a reasonably straightforward exercise, but even a basic cybersecurity plan can save you a world of pain. To ensure the integrity of your cybersecurity plan and its policies, procedures, and processes it is wise to employ a third party to audit your cybersecurity as a whole or to merely help you implemented it, documentation, controls, et al.

You will find helpful links in the FCC Cyber Security Planning Guide.

Sources:

Guide to Developing a Cyber Security and Risk Mitigation Plan – NRECA / CRN, https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf

Cyber Security Planning Guide – FCC, https://transition.fcc.gov/cyber/cyberplanner.pdf (accessed February 18, 2019).

Cyser Security Bulletin T#): Scams And Frauds – US Army, https://www.army.mil.ph/home/pdf_files/Cyber_Bulletin/Cyber%20Security%20Bulleti (accessed February 18, 2019).

Cyber Security Planning Guide – Homeland Security | Home, https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Plann (accessed February 18, 2019).

Attribution and Prosecution

Image result for cyber justice
Justice in Cyberspace

Cybercrimes are on the rise worldwide, and national law enforcement agencies around the world have very little success with arrests and fewer with prosecutions, and no matter the amount of money given the presence of cybercriminals behind bars will continue to prove elusive.

Two of the reasons are attribution and jurisdiction, cybercriminals know this and take full advantage of it.

To put a dent in this trend two things need to happen.

(1) The creation of an International Attribution Consortium[i] consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (a) technical experts from cybersecurity and information technology companies, as well as academia, and (b) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”

(2) For nations to stop the current tendency of using laws (justice system) and enforcement units to advance their political and national interests. Governments need to realize that the prosecutions of cybercriminals in the jurisdiction(s) where the crime was committed benefits all concerns, especially where wanton criminal acts can traverse geographical borders creating economic and political havoc in multiple domains, and jurisdiction gridlock where the criminals are free to repeat their most successful exploits. International law enforcement cybercrime units, like Interpol and Europol Cybercrime Units, need real power to chase and arrest cybercriminals and ensure their prosecutions, hopefully in the most severe dominion.

Sadly, Item (1) is more likely anytime soon than Item (2).

Federal budget: RCMP, CSE to get new cybercrime fighting centres (Note: cybercrime fighting centres are a good worldwide trend currently, but will very little worldwide coordination.)


[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017. https://www.rand.org/pubs/research_reports/RR2081.html

Privacy Information Management System (PIMS)

Help is almost here with the General Data Protection Regulation (GDPR), and other information privacy acts, implementation and confirmation. ISO/IEC DIS 27552 designed to enhance the existing Information Security Management System (ISMS, see ISO/IEC 27000 series) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). ISO/IEC 27552 provides a framework for Personally Identifiable Information (PII) Controllers[i] and  PII Processors[ii] to manage privacy controls reducing risks to individuals’ privacy rights. It acts as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, requirements and guidelines.

The ISO/IEC 27552 augments the existing ISMS with privacy-specific controls and creates PIMS to enable effective organization’s privacy management. A well thought out PIMS implementation can bring about many potential benefits for PII Controllers and Processors.

First, managing compliance with various privacy regulations and policies from numerous jurisdictions can be burdensome especially when no one organized the laws in a manner to optimize the application of PII controllers and processors. Annex C demonstrates that one single control can account for multiple requirements from the General Data Protection Regulation (GDPR). Using the standard can significantly reduce the complexity in meeting regulations.

Second, the requirement for Data Protection Officers will help provide evidence to senior management and organization board members on their progress in regulatory privacy compliance. Compliance evidence based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that the organization implementation meets the applicable privacy requirements.

Third, PIMS certification can be valuable in demonstrating an organization’s privacy compliance to customers, partners, and authorities. PII controllers generally demand evidence from PII processors that the processors’ privacy management system adheres to required privacy requirements. A consistent evidence framework based on the international standard can greatly simplify such proof of compliance transparency, especially when the evidence needs validation by an accredited third-party auditor. A well implemented and reviewed ISO/IEC 27552 is a necessity for the all-important compliance transparency so critical for an organization’s strategic business decisions such as mergers and acquisitions. It will play a significant role also where multiple organizations develop and implement scenarios involving data sharing agreement. Lastly, certifying an organization’s PIMS can potentially serve to signal trustworthiness to the public.

The standard segregates the requirements into the four following groups:

  • Clause 5 outlines PIMS requirements related to ISO/IEC 27001.
  • Clause 6 outlines PIMS requirements related to ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 describes PIMS guidance for PII Processors.

Further, ISO/IEC 27552 includes the following informative Annexes:

  • Annex A lists all appropriate controls for PII Controllers.
  • Annex B lists all suitable controls for PII Processors.
  • Annex C charts ISO/IEC 27552 controls against GDPR.
  • Annex D charts ISO/IEC 27552 controls against ISO/IEC 29100.
  • Annex E charts ISO/IEC 27552 controls against ISO/IEC 27018.
  • Annex F charts ISO/IEC 27552 controls against ISO/IEC 29151.

ISO/IEC 29100:2011 – Privacy Framework specifies a common privacy terminology; defines the actors and their roles in processing PII; describes privacy safeguarding considerations, and provides references to known privacy principles for information technology. You can download a copy of ISO/IEC 29100:2011.

ISO/IEC 27018 presents commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in line with ISO/IEC 29100’s privacy principles in cyberspace (the public cloud computing environment).

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII.


[i] PII controller (or data controller in some jurisdictions) is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. or might be directly or indirectly linked to a PII principal.

[ii] A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer. … NOTE Where the public cloud PII processor is processing cloud service customer account data, it might be acting as a PII controller for this purpose.

Semper Paratus

Cyberwarfare and cybercrimes are here to stay, no doubt about that. No matter the size of your network it is imperative to be proactive and prepare for the future. It’s of utmost importance for all organizations to take the necessary basic precautions now to provide defence on what is now the front line of the future.

Risk management is critical to forming the basis of a sound and strategic cybersecurity program for organizations of all sizes. One can accomplish this through an initial risk assessment where one identifies, categorizes, and ranks data according to the perceived impact on an organization should its data be exposed, lost or stolen; you aim to have the basics in place before disaster strikes. For example, at a bare minimum, any organizations should take the following seven steps to protect their data.

All organizations no matter its size should consider the following seven steps to protect their data, supported with standards and guidelines:

1. Set up multi-factor authentication for all users accessing your network, without exception.

  • To help you understand this 2FA’s process, NIST presents a simple primer entitled: Back to basics: Multi-factor authentication (MFA).
  • Further, it serves well to have a copy of ISO/IEC 27001:2013 – Information Security Management System – Requirements. The standard’s requirements are generic and suitable to apply to all organizations regardless of type, size, and nature. They specify how to establish best, implement, maintain, and continually improve your organization’s Information Security Management System (ISMS). More importantly, it provides assessment and treatment methods to tailor information security risks to the organization’s needs. To help implement Item 1, see the following requirements in ISO/IEC 27001:2013:
    • A.9.1.1 – Access control policy
      A.10.1.1 – Policy on the use of cryptographic controls
      A.11.2.9 – Clear desk and clear screen policy
      A.14.1.1 – Information security requirements analysis and specification
      A.14.1.2 – Securing application services on public networks
      A.14.1.3 – Protecting application services transactions
      A.14.2.5 – Secure system engineering principles
    • A.9.1.2 – Access to networks and networks services
      A.13.1.2 – Security of network services
      A.13.1.3 – Segregation in networks
      A.13.2.3 – Electronic messaging
    • A.9.4.2 – Secure log-on procedures
      A.9.4.4 – Use of privileged utility programs
    • A.11.1.2 – Physical entry controls

2. Most importantly, it is critical that you utilized access control to manage who gets access to what data.

  • Consider ISO/IEC 29146:2016 — A Framework for Identity Management. It defines and establishes a Framework for Access Management (FAM) with pointers for the secure management of the processes to access information and Information and Communications Technologies (ICT) resources.
  • Organizations should implement Zero Trust architecture; this network segmentation approach allows an organization to adopt a “verify all” approach to data access.

3. Use encryption to protect data at rest and in the transfer.

4. Enable access to secure, automatic and always encrypted backups (keep Items 1, 2, and 3 in mind).

5. Restrictively manage your vendors and partners accessing your systems.

6. Be sure to develop and implement a well-exercised disaster recovery and continuity of operations plans, and more importantly make sure it includes an alternate location to deliver.

7. Engage cybersecurity frameworks and other regulatory controls to manage and monitor systems.

Reference:

Understanding The Implications Cyberwarfare Has On Your…,  https://forbes.com/sites/forbestechcouncil/2019/01/30/understanding-the-implicat (accessed February 02, 2019).

Take away from US DNI’s report

The Daniel R. Coats, US Director of National Intelligence, Statement for the Record Worldwide Threat Assessment of the US Intelligence Community delivered on January 29, 2019, to the US Senate Select Committee on Intelligence is an interesting read from which we can draw lessons to spur our cyber and information security proactively.

Here are three critical cybersecurity-related takeaways from the report.

1. China and Russia have unprecedented power to target any infrastructure and population. Other, like Iran and North Korea, remain severe threats for cyber espionage leading to financial and supply chain disruptions.

2. Cybercriminals will continue to conduct for-profit, cyber-enabled theft and extortion against any networks endangering economic health and competitiveness essential to many countries’ national security.

3. Cyberwarfare is now part and parcel of most military’s arsenal, and the scale of the threat is outstripping most nations, never mind most organizations’ ability to defend against an act of aggression in cyberspace.

The report’s conclusions apply to just about any nations.

In the face of the current environment in regards to cyber threats, most nations lack a coherent cyber doctrine that a minimum will best defend and minimize damage to their infrastructure. They need cyber policies, procedures, and processes that proactively define their country’s intentions and interests in cyberspace; clearly articulates online actions that they want to encourage and those that they will not tolerate; and at the last recourse develop retaliatory measures to be applied once they achieve a clear independent verifiable attribution.

My take is that ultimately it is unlikely that any one nation or alliances will be able to change their adversaries’ political aims and agenda in cyberspace. Sadly, many will think it is worth the risk of provoking others in cyberspace to exercise their cyber warfare capabilities and extend their reach, especially the big boys like China, Russia, and the United States. Thrown into the mix are smaller nations that will refine their cyber warfare capabilities to augment their security and military capabilities as a more cost-effective way to spy and wage war. Moreover, there is always treachery on the part of unattributed actors such as thrillseekers, rog terrorists, or criminals triggering a cyberwar.

It’s ugly out there, and it is getting frightfully nasty for passive bystanders. Nevertheless, individuals can still be proactive with their security and deflect some dangers.

Bibliography:

Coats, D. (2019). Statement for the Record Worldwide Threat Assessment of the US Intelligence Community January 29, 2019. PDF Available at: https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf [Accessed 1 Feb. 2019].

Coats, Daniel R. 1943- [worldcat Identities], http://www.worldcat.org/identities/lccn-no91-7183/  (accessed February 01, 2019).