Creating a sustainable cybersecurity management program | Baker Tilly
Article
Creating a sustainable cybersecurity management program
Jan. 11, 2017
Cybersecurity is one of the most urgent topics on the agendas of company leaders and boards of directors. Almost every week, there are new stories about data breaches affecting millions of customer records, payment card data and loss of trade secrets. The sources of cyber threats are growing in sophistication and nefarious intent. Professionals dealing with cybersecurity not only need to focus on thwarting hackers that intend to disrupt your organization or deface your website, but must also be prepared to address threats from professional cyber-espionage groups or sponsored foreign government intrusion. The latter are often organizations with sustained intent and the capability to cause real harm to your organization.
In fact, attacks have been so common in recent years that the conventional wisdom within the cybersecurity community has shifted from a mindset of IF we are hacked to WHEN we are hacked. The best-prepared companies are shifting their cybersecurity strategies from focusing on outright prevention to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.
This article focuses on describing the effective components of a sustainable cybersecurity management program which should be evaluated and discussed with senior management, the audit committee and the board of directors. We consider five main components when working with companies to improve cybersecurity effectiveness. Within your own organization, it is important to think about your level of maturity and preparedness with regard to these components.
1) Data classification
It’s easy for many security departments to turn into the department of no. This happens when an organization has not developed a clear understanding of the types and locations of information assets it maintains and, instead, tries to protect all data without regard to importance. By completing a data classification process, an organization can determine how much effort and cost is required to properly secure the most critical information assets. Once an organization has completed a data classification initiative, managerial decisions can be made to balance security expenditures with the real value of the data the organization is trying to protect.
Not all data needs to be protected the same way; some information is public, some information is company confidential, and some information is private. The amount of financial resources the organization expends to protect it, depends on its importance to your organization.
Assigning a value to that data. Data has value, either in the amount of competitive advantage the data permits or the hard costs associated with unauthorized disclosure of that data. A successful data classification effort will determine the intrinsic or cost avoidance value of the data set. Once an organization determines the true value of the data, it can determine how much to spend to protect it.
Cataloging where critical data exists. There are many place data exists (e.g., production databases, backup copies, data warehouses, departmental data stores, test and development systems). The location becomes crucial in determining how to protect it.
Identifying who has and who should have access to the data. This is critical and may evolve over time. It’s entirely possible that a company does not have a full picture of who has access to certain types of data. By identifying who has access to certain data, a company can determine who has a legitimate need to that data and can further restrict access to the data.
2) Security control implementation
Most of us by now are greatly familiar with general computer controls, which include the IT controls tested during a financial statement audit, but real cybersecurity controls go beyond simple change management and user access reviews.
Hackers aren’t filling out user access request forms or submitting change requests, so how are you making sure your control environment is prepared to deal with unknown and unseen threats? There are numerous cybersecurity control frameworks your organization can implement. We don’t recommend one specific framework over another, but three of the most common frameworks include:
Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53): One of the most comprehensive frameworks, this is the standard for security controls used by organizations doing business with the United States Government. Categorized in terms of system impact, the control catalog specifies control baselines for high, moderate, and low impact systems. The core of the framework groups control activities in terms of functions within the cybersecurity lifecycle: identify, protect, detect, respond, and recover.
ISO 27001: This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an information security management system.” The ISO standard sets out the process that an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system, it does not provide assurance on the implementation of controls specified within Annex A.
SANS Critical Security Controls: The SANS Institute prioritizes security functions with an emphasis on “What Works” and defines the top twenty control areas for enhancing cybersecurity. Each of the twenty control areas includes over 100 implementation activities organized into “Quick Win,” “Visibility/Attribution,” “Configuration/Hygiene,” and “Advanced” categories. For organizations getting started with a formal cybersecurity program, the “Quick Win” controls throughout the framework are a great place to begin.
3) Regular verification of security control performance
While most leading cybersecurity control frameworks include verification controls, we call special attention to this as part of the process of managing cybersecurity. Periodically, organizations should evaluate their security controls to obtain assurance over cybersecurity control effectiveness and determine whether the cybersecurity controls are operating as intended within the organizations. We often see organizations with internal audit departments that focus extensively on internal controls over financial reporting. Evaluating cybersecurity controls (through a combination of control testing and penetration testing) is also a great way for internal audit departments to continue to add value by enhancing the overall security posture of the organization.
4) Breach preparedness planning and testing
Based on the premise that cybersecurity professionals now expect their organizations to be hacked, it logically follows that the organizations should have breach response procedures in place. Breach preparedness begins with defining the activities an organization should follow when invoking the plan. Specifically related to cybersecurity incidents and active breach scenarios, a response plan includes critical activities like:
Identifying whom to notify internally. Depending on the dataset compromised, it’s important to understand who to notify when there is a breach. Certain organizational processes and contingency plans need to be put in place and the process owners need to be involved.
Establishing a response team. Certainly, the IT department will be closely involved with the response. Depending on the organization’s industry, other stakeholders (e.g., regulatory affairs, risk management, vendor management and human resources) may need to be involved.
Implementing monitoring protocols to track intruder activity. Unplugging the compromised system from the network may not be an appropriate strategy following a breach. The organization may need to observe intruder behavior first hand to understand the extent of the breach. Additionally, law enforcement officials may need to monitor activity in attempts to track the intruder. Unplugging the system alerts the intruder that he’s been caught and will give him time to cover his tracks.
Establishing egress prevention. Once an attacker is in your network, he may remain there for a while looking for higher value targets. Preventing critical data from leaving the organization’s network without letting the attacker know he is being watched is important.
Notifying proper legal authorities. Make sure the organization knows who to call when a breach occurs. Knowing who to contact when a breach is suspected can help shorten your overall response time.
Estimating the extent of the compromise. Understanding what data has been compromised is critical to managing the breach response. The type and extent of compromised data may directly affect an organization’s notification, response, disclosure and any potential penalties.
Coordinating with legal counsel and insurance carriers. Depending on the type and extent of breach, legal assistance may be needed to file the necessary notices and help manage any legal consequences of the breach. To the extent that the organization is covered by a cyber-liability policy, notifying the carrier is a necessary step to prepare for the claim.
Analyzing root-cause and implementing security remediation. During the response, it is critical to identify how the breach occurred and then implement a remediation plan to address the vulnerabilities ensuring a similar breach cannot happen again.
Practice, practice, practice. As with disaster recovery and business continuity planning, proficiency with the plan comes with practice, so organizations should periodically conduct tabletop tests of the breach response plan to make sure stakeholders know what to do in the event of an actual breach.
5) Risk acceptance and risk transfer
As recent, high-profile breaches demonstrate, even with robust security processes in place, organizations can suffer a breach. When security measures fail, financial impacts (e.g., credit monitoring for affected customers, increased transaction processing costs, or fines assessed by regulatory agencies) may occur. Organizations must understand their financial exposure relative to a compromised dataset. At that point, the organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and coverage. Underwriters are taking closer looks at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, organizations may be able to receive reduced premiums or more favorable policy limits.
Conclusion
Cybersecurity management is a complex topic that requires substantial organizational attention to be effective. This is not solely the responsibility of the IT department. By working collaboratively across an organization, it is possible to more effectively manage cybersecurity risks and maintain a sustainable program in order to reduce the likelihood of an exposure, limit the extent and impact of an exposure and be prepared to recover from the damages of a breach.
For more information on this topic, or to learn how Baker Tilly risk specialists can help, contact our team.
