Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:


==1. What is a cybersecurity plan and why do you need it?==
==1. What is a cybersecurity plan and why do you need it?==


<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
Line 36: Line 37:
====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
====5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it====
====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
<ref name="DowningAHIMA17" />


===5.2 Define scope and responsibilities===
===5.2 Define scope and responsibilities===
====5.2.1 Define the scope and applicability through key requirements and boundaries====
====5.2.1 Define the scope and applicability through key requirements and boundaries====
====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
<ref name="DowningAHIMA17" />
====5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear====
====5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear====


===5.3 Identify cybersecurity requirements and objectives===
===5.3 Identify cybersecurity requirements and objectives===
====5.3.1 Detail the existing system and classify its critical cyber assets====
====5.3.1 Detail the existing system and classify its critical cyber assets====
<ref name="DowningAHIMA17" />
====5.3.2 Define the contained data and classify its criticality (data maps may help)====
====5.3.2 Define the contained data and classify its criticality (data maps may help)====
====5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t====
====5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t====
<ref name="DowningAHIMA17" />
====5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)====
====5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)====
<ref name="DowningAHIMA17" />
====5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)====
====5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)====
<ref name="DowningAHIMA17" />
====5.3.6 Identify and analyze physical entry points====
====5.3.6 Identify and analyze physical entry points====
====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
====5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)====
====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
====5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)====
<ref name="DowningAHIMA17" />
====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
====5.3.9 Declare and describe objectives based on the outcomes of the above assessments====
====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
====5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
<ref name="DowningAHIMA17" />
====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
====5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====


===5.4 Establish performance indicators and associated timeframes===
===5.4 Establish performance indicators and associated time frames===
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
<ref name="DowningAHIMA17" />


===5.5 Identify key stakeholders===
===5.5 Identify key stakeholders===
Line 72: Line 82:
====5.7.1 Address the need for transparency in improving the cybersecurity culture====
====5.7.1 Address the need for transparency in improving the cybersecurity culture====
====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
====5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals====
<ref name="DowningAHIMA17" />
====5.7.3 Determine guidelines for handling or discussing sensitive information====
====5.7.3 Determine guidelines for handling or discussing sensitive information====
====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
====5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action====
====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
<ref name="DowningAHIMA17" />


===5.8 Develop a recovery and continuity plan===
===5.8 Develop a recovery and continuity plan===
====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
====5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools====
<ref name="DowningAHIMA17" />
====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
<ref name="DowningAHIMA17" />


===5.9 Establish how the overall cybersecurity plan will be implemented===
===5.9 Establish how the overall cybersecurity plan will be implemented===

Revision as of 18:08, 29 November 2019

1. What is a cybersecurity plan and why do you need it?

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

2. What are the major standard and regulations dictating cybersecurity action?

3. The NIST Cybersecurity Framework and its control families

4. Fitting a framework or specification into a cybersecurity plan

5. Develop and create the cybersecurity plan

5.1. Develop strategic cybersecurity goals and define success

5.1.1 Broadly articulate business goals and how information technology relates

5.1.2 Articulate why cybersecurity is vital to achieving those goals

5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it

5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission

[4]

5.2 Define scope and responsibilities

5.2.1 Define the scope and applicability through key requirements and boundaries

5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan

[4]

5.2.3 Ensure responsibility for security risk management and other key aspects (the “who” of it) is clear

5.3 Identify cybersecurity requirements and objectives

5.3.1 Detail the existing system and classify its critical cyber assets

[4]

5.3.2 Define the contained data and classify its criticality (data maps may help)

5.3.3 Identify current and previous cybersecurity policy and tools; determine what has worked and what hasn’t

[4]

5.3.4 Identify the regulations and standards affecting your assets and data (e.g., what are the data retention requirements)

[4]

5.3.5 Identify and analyze system entry points and configurations (if internal resources are unavailable for this, it may require a third-party security assessment)

[4]

5.3.6 Identify and analyze physical entry points

5.3.7 Perform a gap analysis (comparing safeguards in place vs. how well they work)

5.3.8 Perform a risk assessment and prioritize risk based on threat, vulnerability, likelihood, and impact (e.g., examine personnel, third parties, hardware, etc.)

[4]

5.3.9 Declare and describe objectives based on the outcomes of the above assessments

5.3.10 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives

[4]

5.3.11 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)

5.4 Establish performance indicators and associated time frames

5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step

5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)

[4]

5.5 Identify key stakeholders

5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with

5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders

5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals

5.6 Determine resource needs

5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired

5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity

5.6.3 Review the budget

5.7 Develop a communications plan

5.7.1 Address the need for transparency in improving the cybersecurity culture

5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals

[4]

5.7.3 Determine guidelines for handling or discussing sensitive information

5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action

5.7.5 Address cybersecurity training methodology, requirements, and status tracking

[4]

5.8 Develop a recovery and continuity plan

5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools

[4]

5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria

[4]

5.9 Establish how the overall cybersecurity plan will be implemented

5.9.1 Detail the specific steps regarding how all the above will be implemented

5.9.2 State the major implementation milestones

5.9.3 Determine how best to communicate progress on the plan’s implementation

5.10 Review progress

5.10.1 Monitor and assess the effectiveness of security controls

5.10.2 Review how to capture and incorporate corrective action procedures and results

5.10.3 Determine how often to review and update the cybersecurity plan

5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy

6. Closing remarks

Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec

6.1 Access control

6.2 Awareness and training

6.3 Audit and accountability

6.4 Security assessment and authorization

6.5 Configuration management

6.6 Contingency planning

6.7 Identification and authentication

6.8 Incident response

6.9 Maintenance

6.10 Media protection

6.11 Physical and environmental protection

6.12 Planning

6.13 Personnel security

6.14 Risk assessment

6.15 System and services acquisition

6.16 System and communication protection

6.17 System and information integrity

References

  1. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 29 November 2019. 
  2. Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 29 November 2019. 
  3. Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html. Retrieved 29 November 2019. 
  4. 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 4.11 4.12 4.13 Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 29 November 2019. 
  5. Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 29 November 2019. 
  6. Ewing, S. (12 July 2017). "4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans". Delta Risk. https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/. Retrieved 29 November 2019. 
  7. Krasnow, M.J. (February 2017). "Cyber-Security Event Recovery Plans". International Risk Management Institute, Inc. https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans. Retrieved 29 November 2019. 
  8. "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 29 November 2019. 
  9. Talamantes, J. (6 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/. Retrieved 29 November 2019.