|
|
"It is impossible for ideas to
compete in the marketplace if no forum for
their presentation is provided or available."
Thomas Mann, 1896
The Business Forum
Journal
Cyber Security
By Robin D. Cody
Have you ever wondered what it would
take to pass a Cyber Security Audit? Clearly, critical technology assets
and infrastructures must be protected from all hazards, both natural and
man-made disasters like terrorism, whether a cyber-related threat or
large-scale physical attack. Hurricanes, earthquakes, fires, and train
crashes can also impact infrastructures just as much as a premeditated
act aimed at disrupting services or harming people.
Too often,
businesses have a reasonable level of protection from a technology
perspective, but woefully lack documentation to support it. Usually, the
first thing an auditor would ask for is your company’s Plan. Without it,
you’re already going to get black marks.
A
well-defined and documented Cyber Security Plan can set you on the right
track. The security standards defined in a Cyber Security Plan are governed
by your business needs in addition to mandated and legislated requirements
as well as industry best practices.
Having done
some work in this area for a few clients, following the standards set forth
by both the Federal Governments Critical Infrastructure Protection (CIP)
elements which are closely aligned with those of the International Standards
Organization (ISO) create a sound foundation for your company.
The ISO 27000 (27001 & 27002) series establish
guidelines and general principles for initiating, implementing, maintaining,
and improving information security management and it outlines controls and
control mechanisms.
The Cyber-Security Plan will document your company’s security policies,
goals, guidelines and responsibilities. The Plan can help you implement a
formal, Company-wide Cyber Security Plan intended to protect Information and
data, including Information Technology and Supervisory Control and Data
Acquisition Systems (SCADA) systems and assure their availability to support
all company operations.
The typical scope of a Cyber-Security Plan is to:
-
Provide uniform policy and centralized guidance for dealing with all
known and recognized aspects of Cyber Security affecting the your
company and its operations
-
Provide guidance to ensure that all sensitive information handled by the
company’s automated systems are protected commensurate with the risk of
inadvertent or deliberate disclosure, fraud, misappropriation, misuse,
or sabotage
-
Protect employees from unnecessary temptation to misuse company
resources while fulfilling their normal duties
-
Protect employees from suspicion in the event of misuse or abuse by
others
-
Ensure the integrity and accuracy of all company information and
technology assets
-
Protect company operating systems and information processing from
incidents of hardware, software or network failure resulting from human
carelessness, intentional abuse or accidental misuse of the system
-
Protect management from charges of imprudence in the event of compromise
of any security system or disaster
The
objective of a Cyber Security Plan is to create an environment where, based
upon an active and continuous risk analysis program, the following elements
of Cyber Security can be successfully integrated and implemented:
-
Denial of access to information technology systems resources based upon
a defined access requirement
-
A proven ability to audit all transactions and processes impacting
company data bases and operational outputs
-
Both security awareness and employee programs designed to educate
employees in the company’s security requirements
-
Traditional physical security controls and accountability with manual as
well as automated processes
-
Systems development review procedures and testing to ensure security is
built into all information technology systems designs and procurements
-
A program of management reviews and audits to ensure compliance with
security controls
-
A realistic and exercised contingency plan
On example of a Cyber Security Plan will
follow the nine (9) steps of the CIP as outlined below:
-
Requirement 1: document a
risk-based assessment methodology for Critical Assets
-
Requirement 2: develop a
list of Critical Assets
-
Requirement 3: develop a
list of Critical Cyber Assets
-
Requirement 4: senior
manager will approve annually
-
Requirement 1: document
and implement a cyber security policy
-
Requirement 2: assign
senior manager for implementing plan
-
Requirement 3: document
and authorize exceptions
-
Requirement 4: identify,
classify, protect and document Critical Cyber Assets
-
Requirement 5: document
and implement a program for managing access
-
Requirement 6: establish
a process of change control and configuration management
-
Requirement 1: establish,
maintain, and document a security awareness program
-
Requirement 2: establish,
maintain, and document a cyber security training program
-
Requirement 3: conduct
personnel risk assessments
-
Requirement 4: maintain
list of authorized personnel with access to Critical Cyber Assets
-
Requirement 1: document
the Electronic Security Perimeter(s) and all access points
-
Requirement 2: document
the control of electronic access at access points to the perimeter
-
Requirement 3: monitor
and log access to access points to Electronic Security Perimeter
-
Requirement 4: perform
vulnerability assessment of access points to the perimeter
-
Requirement 5: update and
maintain documentation to support compliance
-
Requirement 1: create and
maintain a physical security plan
-
Requirement 2: control
and manage physical access at all perimeter access points
-
Requirement 3: monitor
physical access to access points to Physical Security Perimeter
-
Requirement 4: log
physical entry at all access points to the Physical Security
Perimeter
-
Requirement 5: retain
physical access logs for ninety calendar days
-
Requirement 6: test to
ensure that all physical security systems function properly
-
Requirement 1: test
procedures for new or changed Cyber Security Assets
-
Requirement 2: ensure
only ports for normal / emergency operations are enabled
-
Requirement 3: implement
a security patch management program
-
Requirement 4: use
anti-virus and other malicious software (“malware”) prevention tools
-
Requirement 5: implement
controls that enforce access authentication of all user activity
-
Requirement 6: use tools
or controls to monitor system events related to cyber security
-
Requirement 7: establish
procedures for disposal of Cyber Assets within the perimeter
-
Requirement 8: perform a
cyber vulnerability assessment of all Cyber Assets
-
Requirement 9: document
modifications to systems or controls within ninety calendar days
-
Requirement 1: procedures
for recognition and awareness of sabotage
-
Requirement 2: procedures
for the communication of information concerning sabotage
-
Requirement 3: provide
its personnel with sabotage response guidelines
-
Requirement 4: establish
communications contacts and develop reporting procedures
Incident
Reporting and Response Planning
-
Requirement 1: review
annually recovery plans for Critical Cyber Assets
-
Requirement 2: conduct
recovery plan exercises annually
-
Requirement 3: update
recovery plan from exercises, communicate within ninety days
-
Requirement 4: maintain
procedure for backup to successfully restore critical information
-
Requirement 5: test
recovery and backup media annually
The above listed requirements tell the
company the “what”, but the real value of a well-written Plan will provide
the “how” and document the “gaps” that need to be addressed. As always, a
Cyber Security Plan should be seen as a “living” document with changes and
updates part of an ongoing process.
Robin D. Cody
is a Fellow of The Business Forum
Institute and
Principal of the Government and Technology Consulting Practice Sunrise
Consulting. Robin is an information technology
executive with 37 years of experience in the transportation field.
He has almost thirty
years of experience working in the public sector, as well as, union
environments; creating organizational and operational policies, procedures and business
architectures and investment strategies. He holds a B.S. from
Warner Pacific College, Portland, Oregon. Robin was Chief
Information Officer from 1995 to 2008 of the San Francisco
Bay Area Rapid Transit District. Robin is well know in the
Pacific States of America for his contributions to executive
education, including APTA Information Technology ~ Chair; TransITech
(Industry Conference) Founder; APTA Integrated Technology Chair; TRB
09 Problem Workshop Panelist; APTA Y2K Task Force ~ Vice Chair; TRB:
Synthesis of Transit Practice ~ Panelist; TRB: Electronic Business
Strategies for Public Transportation ~ Panelist; TRB: 511 Traveler
Information Systems ~ Chair; APTA IT-Procurement ~ Chair.
Visit the Authors Web Site
http://www.sunrise-us.net
Return to
The Business
Forum Journal
 Search
Our Site
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
Editorial Policy: Nothing you read in
The Business Forum Journal
should ever be construed to
be the opinion of, statements condoned by, or advice
from, The Business Forum, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content
of what we publish, nor do we accept any responsibility for the claims, or
any of the statements made, within anything published herein. We merely
aim to provide an academic forum and an information sourcing vehicle for
the benefit of the business and the academic communities of the Pacific States of America
and the World.
Therefore, readers must always determine for themselves where the statistics, comments, statements and
advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk. We
accept absolutely no liability whatsoever, nor take any responsibility for
what anyone does, or does not do, based upon what is published herein, or
information gained through the use of links to other web sites included
herein. Please refer to our:
legal
disclaimer
Home
Calendar The Business Forum Journal
Features
Concept
History
Library
Formats
Guest Testimonials
Client Testimonials
Search
News Wire
Why Sponsor
Tell-A-Friend
Join
Experts
Contact The Business Forum
The Business Forum
Beverly Hills, California United States of America
Email:
[email protected]
Graphics by
DawsonDesign
Webmaster:
bruceclay.com
©
Copyright The Business Forum Institute 1982 - 2010 All rights reserved.
|
|
|
|
|