Organizations today are vulnerable to cyberattacks. Organizations will experience breaches and security incidents. It is important for businesses to look at cybersecurity strategically. A core element of a cybersecurity strategy is the development of an enterprise cybersecurity standard. The Cyber Standard, as referenced in this article, establishes the core requirements for appropriately protecting electronic protected health information, personally identifiable information, and all other confidential information, and information assets across the enterprise.
Cyberrisk Equals Disruptive Business Risk
The intent of the enterprise Cyber Standard is to provide actionable information that can be applied to establish and improve the state of the enterprise security and compliance program.
Breaches and cyberattacks are a disruption to business. Consider some facts:
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
• Threats today include more than 100,000 new strains of malware distributed by more than 10,000 malicious new domains each day. These may be used in phishing, spear phishing attacks to compromise an organization’s cybersecurity.
• Half of such malware is designed to compromise user credentials. These may be used to gain access to other assets in the organization, including access to highly valued systems and credentials.
• Besides malware, there are additional threats such as distributed denial of service attacks, social engineering and others.
• It takes an average of 256 days for an organization to discover a breach. That is a long time, during which compromised assets place the organization at significant risk.
Cyberattackers use a variety of sophisticated techniques to first deploy malware and then, with patience, persistence and sophistication, exploit other weaknesses in the enterprise.
Within the context of the Cyber Standard are key areas that impact the credibility of a security program; these includes the type of security controls implemented. The Cyber Standard includes self-attestation checklists to review and attest to components of the security program a type of an annual self-assessment, but attested. The enterprise Cyber Standard self-attestation checklists ensure that business entities are evaluated on a regular schedule to meet defined requirements.
How prepared is your organization to secure vital assets and client information today?
The bottom line is that cyberattacks are becoming increasingly complex and more disruptive to organizations, and every entity must take reasonable and appropriate steps to lower the risk on a continual basis.
A question that senior executives are increasingly giving serious thought to is: How prepared is the organization to address the threats from cyberattacks? Senior executives and board members recognize that the cost associated with a cyberattack
may be easily a 7-Figure risk to the business, while remediation and corrective action required may well be an 8-Figure challenge to the organization.
Cybersecurity Standard Is the Starting Point
The Cyber Standard establishes the foundation for your policies and technology priorities. This Cyber Standard must be updated on an annual basis. It is the responsibility of the chief information security officer to create, communicate and update this document.
The Cyber Standard must be presented to senior executives and the board of directors for review and approval. The Cyber Standard establishes the tone, the priority for compliance and security initiatives that the organization will address in the current fiscal year.
Scope
The Cyber Standard applies to all members of the workforce, including employees, contractors and volunteers.
Regulatory Mandates
The Cyber Standard requires the organization to ensure that, at a minimum, it meets the requirements of compliance regulations and security standards that impact the business. These may include:
• Payment Card Industry Data Security Standard
• ISO 27001
• US Health Insurance Portability and Accountability Act Security Rule
• Health Information Technology for Economic and Clinical Health Breach Notification
• State regulations, as applicable, in the area of information privacy and security
The enterprise Cyber Standard must follow the strictest application regulatory standard. It must be maintained on a continual basis and provide the foundation for a vibrant, active enterprise security and compliance program.
Responsibility
The responsibility for the application and enhancement of the Cyber Standard is that of the CISO. The CISO enforces the Cyber Standard collaborating with all designated roles with compliance and information security responsibilities.
The organization must clearly and formally communicate to all in the organization the individual responsible for leading the cybersecurity program.
Cyber Standard Program: A Life Cycle
The Cyber Standard establishes the foundation for policies, security technology and remediation priorities. The Cyber Standard must be regarded as a life cycle that is consistently managed and continuously improved. The process must be then be repeated; the intent is to genuinely establish a life cycle for the Cyber Standard.
A core component of the Cyber Standard is conducting a risk analysis exercise. Organizations must be disciplined about conducting a risk analysis exercise at least annually. The scope of the risk analysis exercise must include a comprehensive and thorough vulnerability assessment. The findings of the risk analysis exercise establish the foundation for the priorities of the enterprise security program.
Cyber Standard Checklists: Annual Self-attestation
The Cyber Standard establishes the checklists that must be used for self-attestation by each business entity to establish the state of its cybersecurity readiness. The Cyber Standard annual self-attestation checklists include areas such as:
• Policy
• Security controls
• Encryption
Closing Thoughts
Managing the Cyber Standard requires a few important recommendations to implement at any organization. First, an organization must ensure that it has identified, documented and communicated about the individual and team responsible for managing the Cyber Standard across the organization. They must have the time and resources to address the organization’s cybersecurity priorities and initiatives.
Second, an organization’s Cyber Standards must be documented. This document establishes the components and priorities of an enterprise compliance program. The CISO must ensure that this is regularly updated and communicated to senior executives. Third, complete a formal, thorough risk analysis exercise with discipline on
an annual basis. The scope must include a technical vulnerability assessment. The risk analysis exercise provides critical information to establish the risk management program and gaps that must be addressed to mitigate risk to the enterprise.
In the context of cyberthreats in 2016, cyberrisk equals disruptive business risk. Any time there is a breach or a cyberattack on an organization, it does typically cause a disruption to business priorities for both senior leadership as well as IT and compliance departments. This costs the business valuable loss of time and productivity in addition to the direct financial impact.
Finally, a cybersecurity program equals a cybersecurity standard.
The Cyber Standard establishes the foundation for policies, technologies and associated practices. On a regular basis, the CISO must advise senior leadership about the state of cybersecurity readiness.
Ali Pabrai, CISSP, MSEE, Security+
Is a cybersecurity and compliance expert and the chief executive of ecfirst. He has successfully delivered solutions to thousands of clients worldwide, including US government agencies, IT firms, health care systems, legal and other organizations. Pabrai serves as an interim CISO for a health system with more than 40 locations in the US. He has led numerous engagements worldwide for ISO 27001, PCI DSS, the US National Institute of Standards and Technology and HIPAA/HITECH security assessments. Pabrai has presented keynote addresses and featured briefs on cybersecurity and compliance subjects at leading conferences globally, including in the US, Canada, India, the United Arab Emirates, Saudi Arabia, the Philippines, Japan and other countries. He is a proud member of the InfraGard, a security partnership between the US Federal Bureau of Investigation and the private sector.
Date: June 15, 2016
Source: ECFirst