The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

The Business Forum Journal
 

 

Cyber Security

By Robin D. Cody

 

Have you ever wondered what it would take to pass a Cyber Security Audit? Clearly, critical technology assets and infrastructures must be protected from all hazards, both natural and man-made disasters like terrorism, whether a cyber-related threat or large-scale physical attack. Hurricanes, earthquakes, fires, and train crashes can also impact infrastructures just as much as a premeditated act aimed at disrupting services or harming people.

Too often, businesses have a reasonable level of protection from a technology perspective, but woefully lack documentation to support it. Usually, the first thing an auditor would ask for is your company’s Plan. Without it, you’re already going to get black marks.

A well-defined and documented Cyber Security Plan can set you on the right track. The security standards defined in a Cyber Security Plan are governed by your business needs in addition to mandated and legislated requirements as well as industry best practices.

Having done some work in this area for a few clients, following the standards set forth by both the Federal Governments Critical Infrastructure Protection (CIP) elements which are closely aligned with those of the International Standards Organization (ISO) create a sound foundation for your company. The ISO 27000 (27001 & 27002) series establish guidelines and general principles for initiating, implementing, maintaining, and improving information security management and it outlines controls and control mechanisms.

The Cyber-Security Plan will document your company’s security policies, goals, guidelines and responsibilities. The Plan can help you implement a formal, Company-wide Cyber Security Plan intended to protect Information and data, including Information Technology and Supervisory Control and Data Acquisition Systems (SCADA) systems and assure their availability to support all company operations.

The typical scope of a Cyber-Security Plan is to:

  • Provide uniform policy and centralized guidance for dealing with all known and recognized aspects of Cyber Security affecting the your company and its operations

  • Provide guidance to ensure that all sensitive information handled by the company’s automated systems are protected commensurate with the risk of inadvertent or deliberate disclosure, fraud, misappropriation, misuse, or sabotage

  • Protect employees from unnecessary temptation to misuse company resources while fulfilling their normal duties

  • Protect employees from suspicion in the event of misuse or abuse by others

  • Ensure the integrity and accuracy of all company information and technology assets

  • Protect company operating systems and information processing from incidents of hardware, software or network failure resulting from human carelessness, intentional abuse or accidental misuse of the system

  • Protect management from charges of imprudence in the event of compromise of any security system or disaster

The objective of a Cyber Security Plan is to create an environment where, based upon an active and continuous risk analysis program, the following elements of Cyber Security can be successfully integrated and implemented:

  • Denial of access to information technology systems resources based upon a defined access requirement

  • A proven ability to audit all transactions and processes impacting company data bases and operational outputs

  • Both security awareness and employee programs designed to educate employees in the company’s security requirements

  • Traditional physical security controls and accountability with manual as well as automated processes

  • Systems development review procedures and testing to ensure security is built into all information technology systems designs and procurements

  • A program of management reviews and audits to ensure compliance with security controls

  • A realistic and exercised contingency plan

On example of a Cyber Security Plan will follow the nine (9) steps of the CIP as outlined below:

Critical Cyber Assets

  • Requirement 1: document a risk-based assessment methodology for Critical Assets

  • Requirement 2: develop a list of Critical Assets

  • Requirement 3: develop a list of Critical Cyber Assets

  • Requirement 4: senior manager will approve annually

 

Security Management Controls

  • Requirement 1: document and implement a cyber security policy

  • Requirement 2: assign senior manager for implementing plan

  • Requirement 3: document and authorize exceptions

  • Requirement 4: identify, classify, protect and document Critical Cyber Assets

  • Requirement 5: document and implement a program for managing access

  • Requirement 6: establish a process of change control and configuration management

Personnel and Training

  • Requirement 1: establish, maintain, and document a security awareness program

  • Requirement 2: establish, maintain, and document a cyber security training program

  • Requirement 3: conduct personnel risk assessments

  • Requirement 4: maintain list of authorized personnel with access to Critical Cyber Assets

Electronic Security Perimeters

  • Requirement 1: document the Electronic Security Perimeter(s) and all access points

  • Requirement 2: document the control of electronic access at access points to the perimeter

  • Requirement 3: monitor and log access to access points to Electronic Security Perimeter

  • Requirement 4: perform vulnerability assessment of access points to the perimeter

  • Requirement 5: update and maintain documentation to support compliance

Physical Security of Critical Cyber Assets

  • Requirement 1: create and maintain a physical security plan

  • Requirement 2: control and manage physical access at all perimeter access points

  • Requirement 3: monitor physical access to access points to Physical Security Perimeter

  • Requirement 4: log physical entry at all access points to the Physical Security Perimeter

  • Requirement 5: retain physical access logs for ninety calendar days

  • Requirement 6: test to ensure that all physical security systems function properly

System Security Management

  • Requirement 1: test procedures for new or changed Cyber Security Assets

  • Requirement 2: ensure only ports for normal / emergency operations are enabled

  • Requirement 3: implement a security patch management program

  • Requirement 4: use anti-virus and other malicious software (“malware”) prevention tools

  • Requirement 5: implement controls that enforce access authentication of all user activity

  • Requirement 6: use tools or controls to monitor system events related to cyber security

  • Requirement 7: establish procedures for disposal of Cyber Assets within the perimeter

  • Requirement 8: perform a cyber vulnerability assessment of all Cyber Assets

  • Requirement 9: document modifications to systems or controls within ninety calendar days

Sabotage Reporting

  • Requirement 1: procedures for recognition and awareness of sabotage

  • Requirement 2: procedures for the communication of information concerning sabotage

  • Requirement 3: provide its personnel with sabotage response guidelines

  • Requirement 4: establish communications contacts and develop reporting procedures

Incident Reporting and Response Planning

  • Requirement 1: maintain a Cyber Security Incident Response Plan

  • Requirement 2: keep documented Cyber Security Incidents for three calendar years

Recovery Plans for Critical Cyber Assets

  • Requirement 1: review annually recovery plans for Critical Cyber Assets

  • Requirement 2: conduct recovery plan exercises annually

  • Requirement 3: update recovery plan from exercises, communicate within ninety days

  • Requirement 4: maintain procedure for backup to successfully restore critical information

  • Requirement 5: test recovery and backup media annually

The above listed requirements tell the company the “what”, but the real value of a well-written Plan will provide the “how” and document the “gaps” that need to be addressed. As always, a Cyber Security Plan should be seen as a “living” document with changes and updates part of an ongoing process.


Robin D. Cody is a Fellow of The Business Forum Institute and Principal of the Government and Technology Consulting Practice Sunrise Consulting.  Robin is an information technology executive with 37 years of experience in the transportation field. He has almost thirty years of experience working in the public sector, as well as, union environments; creating organizational and operational policies, procedures and business architectures and investment strategies.  He holds a B.S. from Warner Pacific College, Portland, Oregon. Robin was Chief Information Officer  from 1995 to 2008 of  the San Francisco Bay Area Rapid Transit District. Robin is well know in the Pacific States of America for his contributions to executive  education, including APTA Information Technology ~ Chair; TransITech (Industry Conference) Founder; APTA Integrated Technology Chair; TRB 09 Problem Workshop Panelist; APTA Y2K Task Force ~ Vice Chair; TRB: Synthesis of Transit Practice ~ Panelist; TRB: Electronic Business Strategies for Public Transportation ~ Panelist; TRB: 511 Traveler Information Systems ~ Chair; APTA IT-Procurement ~ Chair.


Visit the Authors Web Site

http://www.sunrise-us.net


Return to


The Business Forum Journal
 


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Editorial PolicyNothing you read in The Business Forum Journal should ever be construed to be the opinion of, statements condoned by, or advice from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content of what we publish, nor do we accept any responsibility for the claims, or any of the statements made, within anything published herein.  We merely aim to provide an academic forum and an information sourcing vehicle for the benefit of the business and the academic communities of the Pacific States of America and the World.  Therefore, readers must always determine for themselves where the statistics, comments, statements and advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk.  We accept absolutely no liability whatsoever, nor take any responsibility for what anyone does, or does not do, based upon what is published herein, or information gained through the use of links to other web sites included herein. Please refer to our: legal disclaimer
 



Home    Calendar    The Business Forum Journal    Features
Concept     History     Library    Formats    Guest Testimonials
Client Testimonials      Search      News Wire     Why Sponsor
Tell-A-Friend     Join    Experts   Contact The Business Forum


 


 

The Business Forum


Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign

Webmaster:  bruceclay.com
 


© Copyright The Business Forum Institute 1982 - 2010  All rights reserved.