Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
Your organization now recognizes the importance of incorporating after-action reports and internal lessons learned into the existing cybersecurity plan. But we don't only learn from our own "blundering." You're not operating in a vacuum; other businesses are out there having the same types of successes and failures. What have they learned, and what have they improved? Determine what outside sources you should look towards for said lessons. Most likely this will involve looking to events that transpired in your industry, e.g., clinical laboratories looking to the healthcare industry and retailers looking to other retail security failures. In the healthcare realm, ''[https://www.healthcareitnews.com/category/resource-topic/privacy-security Healthcare IT News]'' has been tracking and conglomerating cybersecurity news, videos, inforgraphics, and projects for several years now. In the industrial world, [https://www.nozominetworks.com/in-the-news/ Nozomi Metworks] has been doing a respectable job of conglomerating cybersecurity news in multiple languages. In particular, focus on incorporating lessons learned that address an obvious gap in your cybersecurity infrastructure and plan.
<blockquote>Cybersecurity is much more than a matter of IT.<br />&nbsp;<br />- Stéphane Nappo, CISO of Société Générale</blockquote>
 
After working through this guide, the quote of Stéphane Nappo should ring true; there's more to cybersecurity than focusing on information technology and technological expertise. Yes, those remain important elements of the recipe for cybersecurity success, but more ingredients are involved. First, the organization needs to not only want to improve cybersecurity, but it also needs enthusiastic support of that goal from leadership. Without support and encouragement from the higher levels in the form of active participation and financial buy-in, it's difficult to change the organizational culture. Second, the cybersecurity strategy isn't going to simply coalesce; it requires strong project management and a clearly defined plan. Without them, implementation of any cybersecurity measures will be, at best, haphazard and minimally effective. Third, effective communication, training, response, and monitoring plans are required to get full buy-in from personnel and associated third parties, as well as to ensure cyber attacks are held to a minimum and, when they do happen, they are addressed rapidly and efficiently. Without those elements, any implemented cybersecurity plan will lack potency over the long term, leaving the organization more prone to cyber attacks and financial consequence.
 
This guide has hopefully provided you with all the considerations required to develop an effective, living cybersecurity plan for your organization. As part of that development effort, this guide has also addressed the benefits and uses of cybersecurity standards frameworks. The decision of which frameworks to choose isn't to be taken lightly; however, when chosen and implemented well, they have the potential to assist the organization with developing their overall cybersecurity strategy. The frameworks' security control, program development, and risk management elements can help deduce gaps between current system state and desired system state, as well as gaps in internal expertise, hardware, and policy. Most frameworks are also build on or mapped to other existing standards and frameworks, which have been developed by a broad consensus of interested individuals with expertise in cybersecurity and the fields requiring it. Regulatory bodies have also shaped those standards and frameworks, meaning that the organization that effectively uses cybersecurity standards frameworks in their plan development will be prepared at go-live for conformance to regulations.
 
Finally, this guide has also included an appendix of NIST SP 800-53 controls with slightly more simplified language, as well as additional resources to give the controls a clearer context. Additionally, they are linked to the LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development. For those outside the laboratory industry, that inclusion will likely not mean much; however, you've hopefully still gained insight from the contents of this guide. For those working in laboratories, particularly those with laboratory informatics solutions or seeking to purchase them, the mappings to LIMSpec provide additional value in ensuring those informatics solutions are providing the cybersecurity functionality critical to your laboratory's success.
 
Regardless of what industry you work in, how many people make up your organization, or what technology you're using, remind yourself that ignoring cyber threats has consequences. Even if your primary cyber asset is only your business website, that asset can still be compromised. It takes awareness, planning, and dedication to fighting the growing body of cyber threats, but given tools such as this guide, you'll succeed in your organizational goals towards being more security-aware and cyber-prepared.




==Citation information for this chapter==
==Citation information for this chapter==
'''Chapter''': 5. Develop and create the cybersecurity plan
'''Chapter''': 6. Closing remarks


'''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''
'''Title''': ''Comprehensive Guide to Developing and Implementing a Cybersecurity Plan''

Revision as of 20:29, 16 February 2022

Cybersecurity is much more than a matter of IT.
 
- Stéphane Nappo, CISO of Société Générale

After working through this guide, the quote of Stéphane Nappo should ring true; there's more to cybersecurity than focusing on information technology and technological expertise. Yes, those remain important elements of the recipe for cybersecurity success, but more ingredients are involved. First, the organization needs to not only want to improve cybersecurity, but it also needs enthusiastic support of that goal from leadership. Without support and encouragement from the higher levels in the form of active participation and financial buy-in, it's difficult to change the organizational culture. Second, the cybersecurity strategy isn't going to simply coalesce; it requires strong project management and a clearly defined plan. Without them, implementation of any cybersecurity measures will be, at best, haphazard and minimally effective. Third, effective communication, training, response, and monitoring plans are required to get full buy-in from personnel and associated third parties, as well as to ensure cyber attacks are held to a minimum and, when they do happen, they are addressed rapidly and efficiently. Without those elements, any implemented cybersecurity plan will lack potency over the long term, leaving the organization more prone to cyber attacks and financial consequence.

This guide has hopefully provided you with all the considerations required to develop an effective, living cybersecurity plan for your organization. As part of that development effort, this guide has also addressed the benefits and uses of cybersecurity standards frameworks. The decision of which frameworks to choose isn't to be taken lightly; however, when chosen and implemented well, they have the potential to assist the organization with developing their overall cybersecurity strategy. The frameworks' security control, program development, and risk management elements can help deduce gaps between current system state and desired system state, as well as gaps in internal expertise, hardware, and policy. Most frameworks are also build on or mapped to other existing standards and frameworks, which have been developed by a broad consensus of interested individuals with expertise in cybersecurity and the fields requiring it. Regulatory bodies have also shaped those standards and frameworks, meaning that the organization that effectively uses cybersecurity standards frameworks in their plan development will be prepared at go-live for conformance to regulations.

Finally, this guide has also included an appendix of NIST SP 800-53 controls with slightly more simplified language, as well as additional resources to give the controls a clearer context. Additionally, they are linked to the LIMSpec, an evolving set of specifications for laboratory informatics solutions and their development. For those outside the laboratory industry, that inclusion will likely not mean much; however, you've hopefully still gained insight from the contents of this guide. For those working in laboratories, particularly those with laboratory informatics solutions or seeking to purchase them, the mappings to LIMSpec provide additional value in ensuring those informatics solutions are providing the cybersecurity functionality critical to your laboratory's success.

Regardless of what industry you work in, how many people make up your organization, or what technology you're using, remind yourself that ignoring cyber threats has consequences. Even if your primary cyber asset is only your business website, that asset can still be compromised. It takes awareness, planning, and dedication to fighting the growing body of cyber threats, but given tools such as this guide, you'll succeed in your organizational goals towards being more security-aware and cyber-prepared.


Citation information for this chapter

Chapter: 6. Closing remarks

Title: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan

Edition: First

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: July 2020