1. As emphasized above, identify an organization whose cybersecurity policy is a

Question

1. As emphasized above, identify an organization whose cybersecurity policy is available. Federal civil sector organizations may be candidates or state governments. A company where you are currently or would like to be employed may be a candidate. Start your search for a suitable organization early and anticipate that you may have to browse several before finding one suitable for this assignment.

2. A second critical aspect is to identify evaluation criteria or performance measures for the cybersecurity policy. Refer to applicable government, industry, and regulatory standards. In some cases, you may need to consider criminal or civil liability issues, and thus evaluation criteria may emanate from the judicial guidance.

3. A third critical aspect is application of your evaluation criteria to elements of the cybersecurity policy identified for analysis. Such analysis is likely to be qualitative for some aspects, quantitative for other aspects, and a hybrid for still other aspects of the policy. As such, your choice of measures and analytical techniques must be reasonable and justifiable.

Explanation / Answer

The IT department often gets a little apprehensive when my company is about to perform a vulnerability assessment or penetration test. It usually isn't because they are afraid we will find security issues -- most IT departments are stretched so thin that they have accepted that an audit will find security issues -- their concern comes from the fear of how management will react to the findings, as organizations where security is not ingrained in the culture will want to blame the IT department.

They mistakenly consider security to only be an IT issue, but that couldn't be farther from the truth. Information security is an organizational problem that requires organizational focus, originating at the board level and working down through the organization.

CISOs need to find ways to lead the board through the development and implementation of a cybersecurity policy to elevate organizational priority. This can be a challenge for the organizations that still see security as an IT-only problem and may require the CISO to utilize creative tactics.

The most difficult part of this process is getting time on the board's agenda. The approaches to getting on the agenda are as varied as the personalities on the board. A CISO can try building relationships with other executives to build support for a cybersecurity agenda.

Third-party consultants are sometimes more trusted than internal resources and can also be used to both build security awareness and get in front of the board. You may find support from board members in other industries, such as the banking and financial sector, that have experience in cybersecurity. Experimentation will be required to find the best approach for your organization.

Today an organization needs to have security ingrained into its culture to have a chance at defending its information assets. This culture must start from the top with the organization's board and executive management. The CISO plays a critical role in this culture of security by encouraging board participation through the development of a board cyber security policy. CISOs will have to use their knowledge of organizational politics, along with a little creativity, in order to help develop and foster the creation of this important policy. This may be one of the more effective methods for CISO's to finally elevate cybersecurity beyond being just an IT problem and up to a board-level priority.

Control Environment

Everyone in your organization plays a role in minimizing your organization’s cyber security risk, and it’s up to your organization’s management and cyber security team to communicate what that entails. Common sources of data loss offer a good indication of the types of policies and practices that should be part of your risk management culture. Misplaced or stolen electronic devices rank as the primary cause of data loss. Recommended practices for how to treat company equipment could reduce the number of these incidents within your organization. For example, you might want to require employees to take home or lock up any electronic devices at the end of the workday.

Hackers perpetuate roughly 18 percent of security incidents. They gain access to your organization’s networks through programs that trace the key strokes on your computer or through malware inserted into your system via vulnerable software or third-party plug-ins. Your staff should be on guard for suspicious emails or other unusual requests for information, as they might be cyber security breaches in disguise.

Part of the risk assessment may include an information technology audit. The multifaceted approach to your existing protocol helps identify the areas of vulnerability and risk. A network security assessment can turn up vulnerabilities in your external and internal networks and review firewall, intrusion prevention and network access control systems and policies and assess wireless networks to provide you a clearer picture of where your risks may lie. Network penetration testing should also be included in your information technology assessment, as this can give you a sense of how easily security incidents can be detected in your current operating environment. Testing can also give you an idea of the potential magnitude a cyber security breach would have on your organization.

Related Questions

Navigate

• Browse (All)
• Browse 1
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.