Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
[[File:Cybersecurity Strategy 5 Layer CS5L.png|right|450px]]With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with risk assessment and prioritization. Regardless of whether or not you're hosting and transmitting PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref> Functions of risk analysis include, but are not limited to<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref><ref name="NortonSimilar18">{{cite web |url=https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=23 July 2020}}</ref><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/ |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=23 July 2020}}</ref>:
As previously mentioned, with indicators come metrics. But what tools will be used to acquire those metrics, and will those metrics measure quantitatively or qualitatively?<ref name="MarrKey12">{{cite book |url=https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover |chapter=Introduction |title=Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know |author=Marr, B. |publisher=Pearson UK |year=2012 |page=xxvii |isbn=9780273750116}}</ref> Are the measurement and monitoring tools available or will that have to acquired or developed? Can the data from intrusion detection systems and audit logs assist you in developing those metrics?<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref> These and other questions must be asked when considering the numbers and measurements associated with an indicator. For many indicators, how to measure progress is relatively clear. A performance indicator such as "mean time to detect" (how long before your business becomes aware of a cybersecurity incident) will be measured in days. An indicator such as "risk classification" (is the risk minor, major, real, etc.) is measured using a non-numerical classification word. Refer to Black ''et al.'' and their ''Cyber security metrics and measures''<ref name="BlackCyber08">{{cite book |chapter=Cyber security metrics and measures |title=Handbook of Science and Technology for Homeland Security |volume=5 |author=Black, P.E.; Scarfone, K.; Souppaya, M. |editor=Voeller, J.G. |publisher=John Wiley & Sons |year=2008 |isbn=9780471761303 |doi=10.1002/9780470087923.hhs440}}</ref>, as well as the HSSEDI (Homeland Security Systems Engineering and Development Institute) document ''Cyber Risk Metrics Survey, Assessment, and Implementation Plan''<ref name="JonesCyber18">{{cite web |url=https://www.mitre.org/sites/default/files/publications/pr_18-1246-ngci-cyber-risk-metrics-survey-assessment-and-implementation-plan.pdf |format=PDF |title=Cyber Risk Metrics Survey, Assessment, and Implementation Plan |author=Jones, N.; Tivnan, B. |publisher=Homeland Security Systems Engineering and Development Institute |date=11 May 2018 |accessdate=23 July 2020}}</ref>, for more about cybersecurity metrics.
 
* considering the operations supporting business goals and how those operations use technology to achieve them;
* considering the various ways the system functionality and entry points could be abused and compromised (threat modeling);
* comparing the current system's or component's architecture and features to various threat models; and
* compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.
 
Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically lately? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 16:34, 16 February 2022

As previously mentioned, with indicators come metrics. But what tools will be used to acquire those metrics, and will those metrics measure quantitatively or qualitatively?[1] Are the measurement and monitoring tools available or will that have to acquired or developed? Can the data from intrusion detection systems and audit logs assist you in developing those metrics?[2] These and other questions must be asked when considering the numbers and measurements associated with an indicator. For many indicators, how to measure progress is relatively clear. A performance indicator such as "mean time to detect" (how long before your business becomes aware of a cybersecurity incident) will be measured in days. An indicator such as "risk classification" (is the risk minor, major, real, etc.) is measured using a non-numerical classification word. Refer to Black et al. and their Cyber security metrics and measures[3], as well as the HSSEDI (Homeland Security Systems Engineering and Development Institute) document Cyber Risk Metrics Survey, Assessment, and Implementation Plan[4], for more about cybersecurity metrics.

References

  1. Marr, B. (2012). "Introduction". Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know. Pearson UK. p. xxvii. ISBN 9780273750116. https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover. 
  2. Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 23 July 2020. 
  3. Black, P.E.; Scarfone, K.; Souppaya, M. (2008). "Cyber security metrics and measures". In Voeller, J.G.. Handbook of Science and Technology for Homeland Security. 5. John Wiley & Sons. doi:10.1002/9780470087923.hhs440. ISBN 9780471761303. 
  4. Jones, N.; Tivnan, B. (11 May 2018). "Cyber Risk Metrics Survey, Assessment, and Implementation Plan" (PDF). Homeland Security Systems Engineering and Development Institute. https://www.mitre.org/sites/default/files/publications/pr_18-1246-ngci-cyber-risk-metrics-survey-assessment-and-implementation-plan.pdf. Retrieved 23 July 2020.