Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
As previously mentioned, with indicators come metrics. But what tools will be used to acquire those metrics, and will those metrics measure quantitatively or qualitatively?<ref name="MarrKey12">{{cite book |url=https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover |chapter=Introduction |title=Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know |author=Marr, B. |publisher=Pearson UK |year=2012 |page=xxvii |isbn=9780273750116}}</ref> Are the measurement and monitoring tools available or will that have to acquired or developed? Can the data from intrusion detection systems and audit logs assist you in developing those metrics?<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref> These and other questions must be asked when considering the numbers and measurements associated with an indicator. For many indicators, how to measure progress is relatively clear. A performance indicator such as "mean time to detect" (how long before your business becomes aware of a cybersecurity incident) will be measured in days. An indicator such as "risk classification" (is the risk minor, major, real, etc.) is measured using a non-numerical classification word. Refer to Black ''et al.'' and their ''Cyber security metrics and measures''<ref name="BlackCyber08">{{cite book |chapter=Cyber security metrics and measures |title=Handbook of Science and Technology for Homeland Security |volume=5 |author=Black, P.E.; Scarfone, K.; Souppaya, M. |editor=Voeller, J.G. |publisher=John Wiley & Sons |year=2008 |isbn=9780471761303 |doi=10.1002/9780470087923.hhs440}}</ref>, as well as the HSSEDI (Homeland Security Systems Engineering and Development Institute) document ''Cyber Risk Metrics Survey, Assessment, and Implementation Plan''<ref name="JonesCyber18">{{cite web |url=https://www.mitre.org/sites/default/files/publications/pr_18-1246-ngci-cyber-risk-metrics-survey-assessment-and-implementation-plan.pdf |format=PDF |title=Cyber Risk Metrics Survey, Assessment, and Implementation Plan |author=Jones, N.; Tivnan, B. |publisher=Homeland Security Systems Engineering and Development Institute |date=11 May 2018 |accessdate=23 July 2020}}</ref>, for more about cybersecurity metrics.
At this point, you've probably already touched upon who's most interested or concerned about how cybersecurity is implemented within your organization. The first two steps of the plan call for defining cybersecurity goals, success, scope, and responsibilities. By extension, internal leadership with a significant stake in cybersecurity success has thus been identified. Additionally, the employees of an organization play an important role in developing or applying policies and procedures that come from your cybersecurity plan. You may have identified even more internal interests in seeing the plan succeed as well. Be sure at this point those stakeholders have been clearly identified. Also ensure their roles and responsibilities are clearly outlined and disseminated to the appropriate people, which further facilitates improved internal processes, communication, accountability, and preparedness.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=23 July 2020}}</ref><ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref>


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 16:36, 16 February 2022

At this point, you've probably already touched upon who's most interested or concerned about how cybersecurity is implemented within your organization. The first two steps of the plan call for defining cybersecurity goals, success, scope, and responsibilities. By extension, internal leadership with a significant stake in cybersecurity success has thus been identified. Additionally, the employees of an organization play an important role in developing or applying policies and procedures that come from your cybersecurity plan. You may have identified even more internal interests in seeing the plan succeed as well. Be sure at this point those stakeholders have been clearly identified. Also ensure their roles and responsibilities are clearly outlined and disseminated to the appropriate people, which further facilitates improved internal processes, communication, accountability, and preparedness.[1][2]

References

  1. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020. 
  2. Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020.