Motivated, But Don't Know Where To Start?
Are you motivated by the record breaking cyber attacks in the media or talks of new cyber related regulations? Has your insurance company prompted you to answer their security questionnaire? Maybe your organization has experienced an attack recently. Whatever the case may be, there are free resources available to guide you through the process of improving your organization's security posture and establishing a plan to handle an adverse situation.
Every organization—large and small—must be prepared to respond to disruptive cyber activity.-CISA
In relation to the situation in Ukraine, The Cybersecurity and Infrastructure Security Agency and other government agencies have been doing their best to make sure you are prepared for a cyber attack, or other incident. CISA has launched their Shields Up campaign to educate and "help organizations prepare for, respond to, and mitigate the impact of cyber-attacks." CISA has also provided a list of free security tools.
Not Sure If You Are Prepared?
What are you going to do if X, Y, or Z happens? Do you know how it will impact your organization? Who is responsible for what? How long will it take you to recover? Maybe you have been asking these questions, and hopefully you have good answers.
If you have a Security Program and follow a security or risk management framework, you may have a Contingency Planning Management Team in place and it would be a great time to revisit your incident response plans to make sure they are up to date and tested. If not, there is no need to reinvent the wheel, there are plenty of resources you can utilize to get your security and incident response programs started. Katlyn Gallo, Senior Information Security Analyst of Syneos Health, recently wrote an article on 7 of the most popular security frameworks. One of these security frameworks may be more fitting for your organization than another. We will focus specifically on the NIST Cybersecurity Framework.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework "consists of standards, guidelines and best practices to manage cybersecurity risk." I have explained this framework to many people and organizations. The best way I've found is to condense it into some simple easy steps and phases. This is a cyclic process to improve your security posture, within your business objectives and interests, by identifying and prioritizing security gaps and objectives through continuous communication and assessments.
The Framework consists of three components-Core, Tiers, and Profile. I won't go into much detail here, but the Core is a set of functions where you Identify, Protect, Detect, Respond, and Recover. The Tiers component is a self defined metric that allows you to track security posture. Tier 1 being the least mature, to Tier 4 being most mature. The final component is the Profile which allows you to compare and identify gaps in your security posture and develop a plan.
Discovery-This is where you gather information to determine everything within the scope of the security program and related systems, assets, regulations, etc. Steps 1 -3: Prioritize & Scope, Orient, and Current Profile, have been condensed here.
Risk Assessment- Assess risks, threats, vulnerabilities, impact, and likelihood to get your current security posture. This is similar to a Business Impact Analysis. I'll discuss this more later with contingency planning.
Target Profile-Using the data from the risk assessment, identify a desired security profile based on the security objectives you would like to achieve.
Implementation Plan and Action-Create a realistic plan to reach the target profile with the most critical and/or business sensible items at the top. This will help you forecast a budget and get these security controls implemented within your business objectives. These security controls are mapped to NIST Special Publication 800-53.
Assess Progress-Audit the security posture, verify the implementation of policies, security controls, and reformulate a new implementation plan.
By following the NIST CSF, or another framework, you should have a thorough Security Program in place to help mitigate and prepare for security incidents. The Security Program will have identified the need for an Incident Response Team and IR Plan to handle these incidents. How will you get your Incident Response Program started?
Contingency Management
Incident Response | Disaster Recovery | Business Continuity
During an active incident, the last thing you want to do is scramble to make decisions and gather resources. Taking the time to ensure the teams, policies, procedures, and resources are in place can seriously reduce the impact and time to recover from an incident. NIST SP 800-34 is a guide for contingency management. Here is a basic breakdown of what you need to improve your preparedness.
Form a Team
To start a Contingency Management Program, or other similar programs, you need to create a Contingency Management Planning Team. Depending on the size of your organization, you may have a CMPT that is also your Incident Response, Disaster Recovery, and Business Continuity Planning Team. If not, these other teams are subsequent and will receive guidance from the CMPT. The structure and processes will be similar. The CMPT needs to have a clear Contingency Policy outlining the components, roles, responsibilities, scope, and objectives that enables the functions and resources of the team. The team may consist of a Chief Operations Officer, Project Manager, Business, IT, InfoSec, other subject matter experts, and reps from subordinate teams. Some of the functions of the team are to develop policies, strategies, conduct training, testing, and a Business Impact Analysis.
Business Impact Analysis
The Business Impact Analysis is a weighted assessment on the impact of incidents and helps to prioritize critical systems and processes. This information is an important basis for the planning and development of team objectives and resource usage to respond, minimize impact, and recover. These are the three steps outlined in the NIST Contingency Planning Guide:
Determine mission/business processes and recover criticality
Identify resource requirements
Identify recovery priorities for system resources
Determining what mission critical systems and business processes is done by identifying outage impact and estimated downtime in relation to business objectives. The outage impact is given a metric to prioritize. The estimated downtime is calculated by Maximum Tolerable Downtime, Recovery Time Objective, and Recover Point Objective.
The purpose of identifying resource requirements is to determine the dependencies of the critical systems and business processes. What do they need to operate? This will help prioritize your response.
Be mindful of the cost of recovery. As the downtime increases, one method of recovery may become more costly and change the recovery strategy. Budget increases or decreases can impact the resources of these response teams. When considering contingency budgeting look no further than Covid-19. Many organizations were not ready to pay salaries to employees who were required to remain at home. Work from home strategies were an unforeseen expense.
Plans, Playbooks, and Testing
The response teams and response plans will need to be organized. Make sure you have qualified professionals for your teams. It may be more cost effective to outsource one or more response teams depending on the type of threat scenario. Taking the information from the Business Impact Analysis or Risk Assessment, create customized plans for each of the scenarios identified.
Conduct testing, tabletop, and full scale exercises with all stakeholders to ensure the plans are working correctly. Identify any gaps or unforeseen factors, risks, or scenarios. Having a plan is great, but if you have not put it into practice, you may experience unexpected hurdles. Plans should be maintained regularly. As an organization or system changes, it may require adapting or obtaining new strategies, policies, plans, and resources.
Legal, Regulatory, & Ethical Considerations
Make sure to consider the legal and regulatory obligations of an adverse event or incident. This is in no way legal advice, but some things to take note of and hopefully ignite thought processes.
Has your organization practiced diligence in protecting Personal Identifiable Information, Personal Health Information, or Payment Card Information? Does your organization have reasonable security controls in place to protect consumer data?
Understand the regulations involved with your organization's operations and the legal implications of non-compliance. Are you required to report a breach, and to whom? If you are not required by regulation, is it ethical to report an incident? How will it affect public image?
In the Covid-19 scenario, what did you do to support your employees? Keep in mind the absence of a law or regulation does not make you immune to financial repercussions. Brian Levine, Managing Director of EY Parthenon, recently identified a 9th Circuit court preceding that was brought forth on the basis of a company falsely claiming they implemented a "comprehensive" security program.
Here are a few common laws and regulations your organization may be required to comply with: PCIDSS, HIPAA, GLBA, SOX, GDPR. The FTC recently expanded the requirements of a non-banking financial institution in the Safeguard's Rule, and made a statement warning companies to remediate the December, 2021 Log4J CVE.
This is not meant to be an exhaustive analysis of the NIST Special Publications herein, a security program, contingency management, business impact analysis, or legal advice. I hope to spark some thoughts, provide free resources, and motivate the reader to take action in preparation of a security incident and/or risk. If you have made it this far, thank you so much for your time.