Management and Cybersecurity
The Information Systems Security Plan (ISSP) is a formal document that presents an outline of an information system’s security requirements, detailing the controls presently in place or those planned for meeting requirements. It describes the responsibilities and expected behavior of all individuals accessing the system and presents a structured process for planning adequate and cost-effective security protection. For a robust and effective cybersecurity strategy, this plan requires meticulous detail when identifying potential threats, and outlining security policies and measures, The Information Systems Security Plan preserves the confidentiality, integrity, and availability of data as it mitigates threats to the security of a system (National Institute of Standards and Technology, 2006).
The development, implementation, and execution of the Information Systems Security Plan (ISSP) are an essential part of a cyber security strategy because strategic alignment with the organization’s business strategy is guaranteed. With the integration of security into the strategic vision, the ISSP allows proactive decision-making, which supports business and security objectives (Gartner, 2024). Furthermore, the ISSP allows organizations to prioritize security initiatives, ensuring the optimal use of limited resources, and make informed recommendations about risk management strategies. For this plan to be comprehensive, there must be collaboration among various stakeholders such as information and system owners.
In terms of its application, the ISSP could be used in making educated decisions about risk management, complying with legal and regulatory requirements, and guiding teams on incident response procedures during security incidents. Additionally, the included plans for security training could facilitate in preventing security breaches.
Security professionals should not only ensure privacy and confidentiality when dealing with sensitive information but also obey the relevant laws and regulations. They should exemplify honesty and integrity and refrain from deceptive practices.
References:
Gartner. (2024). Information Security Strategy Best Practices. Retrieved from https://www.gartner.com/en/cybersecurity/topics/information-security-strategy
National Institute of Standards and Technology. (2006, February). NIST Special Publication 800-18 Revision1. Guide for Developing Security Plans for Federal Information Systems. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
.
Compliance Audits
Compliance audits are usually conducted by independent audit practitioners and are based on established frameworks such as ISO27001, or regulatory requirements such as Health Insurance Portability and Accountability Act (HIPPA). N audit, the organization’s security posture is assessed in-depth by the third-party independent practitioners. to assess the compliance status with the implemented framework or regulation. Compliance audits promote good governance and transparency and encourages accountability (Ramos & Iqbal, 2023).
There are five essential steps in the compliance process.
(Ramos & Iqbal, 2023)
The first step is the research and readiness phase where the auditors confirm the audit scope, prepare an audit checklist, plan their approach, and coordinate scheduled times for the audit. In the second step, the Documentation and Evidence Review, the auditors review and familiarize themselves with the policies and procedures to understand the governing principles and the business. When conducting interviews in the third step, auditors ask questions to reinforce their knowledge of the business, its internal controls, and compliance to the target framework. To identify if the applicable controls are in place, they could ask an interviewee to review a process from end to end. In the Process Assessment and Employee Shadowing step, the auditors now have a satisfactory understanding of the business and its internal controls and begin to document their assessment based on the conducted interviews, documentation review and testing. For the final step, Compilation of Compliance Report, the auditors present their final report with an overall assessment as well as those for each phase.
Below is a copy of my report in which I discuss the benefits of a compliance audit.
References:
Ramos, C., & Iqbal, A. (2023, June 8). Compliance Audit: Definition, Types, and What to Expect. Retrieved from AuditBoard: https://www.auditboard.com/blog/compliance-audit/
Disaster Recovery Plans
A Disaster Recovery Plan is a documented strategy that organizations use after a disaster, to assist in salvaging their IT systems and data. It includes responsibilities, policies, and procedures, and is an essential component of any organizations’ business continuity plan. In the event of power outages, cyberattacks, human error or application failure, a Disaster Recovery Plan provides comprehensive guidelines on how an organization should respond. Its goal lies in minimizing business disruptions and maintaining important operations during and after a crisis.
Apart from Business Continuity, a robust Disaster Recovery Plan is essential for: (Labyrinth Technology, 2023)
Restoring an organization’s continual operations and critical information with minimum disruption
Preserving an organization’s reputation by demonstrating its commitment to business continuity and protecting its information
Reducing network downtime and thus assisting in mitigating financial losses
Ensuring that the organization remains compliant with the applicable laws and regulations
Reassuring stakeholders that the organization is serious about Risk Management
Gaining a competitive advantage by demonstrating the organization’s commitment to data protection, and ensuring seamless operations.
A robust Disaster Recovery Plan is of critical importance for all organizations. According to the National Cybersecurity Alliance, after a disaster, 60% of small businesses fail within six months because of significant data loss, and within two years, 72% of them are on the brink of closure.
Below is a copy of my presentation on developing a robust disaster plan. In it I delve into the requires steps and the benefits of having one in place.
References:
Labyrinth Technology. (2023). What Is a Disaster Recovery Plan and Why Is It Important? Retrieved from https://www.labyrinthit.com/what-is-a-disaster-recovery-plan-and-why-is-it-important/
Building a Cybersecurity Team
Effective cybersecurity within organizations is dependent on meticulous and strategic deployment of technology, processes, and people. Once an organization has carefully selected the best people with the applicable skills, supervising them for optimal performance, then the team ensures that the technology and processes in place are effective and compliant (Buster, 2021)
The artifact that I selected, discusses how to build a cybersecurity team, delving into a mix of skills sets, education, knowledge, work experiences and certifications a team should have. It recommends using the NICE Framework, also known as The Workforce Framework for Cybersecurity, which furnishes guidelines for building efficient and valuable cybersecurity teams.
An effective cybersecurity team adopts a value-driven approach, whereby their security objectives tightly align with the organization’s business objectives and goals, to maximize business value. Employing value-driven security promotes the following principles (Silent Quadrant, 2024)
Organizations have the ability to estimate risk reduction benefits through the use of quantitative methodologies to compare the financial costs of cyber risks, versus the value of mitigating them.
When conducting business activities across departments, organizations should include security leaders to ensure that the security program evolves with the business.
Organizations could seek business opportunities through building trust and confidence with customers and other stakeholders, by promoting security.
In addition to compliance, security investments and initiatives should be prioritized based on their alignment with business goals and their potential to create monetary value.
Below is a copy of my report on “Building a Cybersecurity Team”.
References:
Buster, D. (2021, August 26). HOW TO BUILD A WINNING CYBERSECURITY TEAM. Retrieved from Global Knowledge: https://www.globalknowledge.com/us-en/resources/resource-library/articles/how-to-build-a-winning-cybersecurity-team/
Silent Quadrant. (2024). Unlocking Business Potential: The Power of Value-Driven Cybersecurity. Retrieved from https://silentquadrant.com/blog/the-power-of-value-driven-cybersecurity#:~:text=With%20a%20value-driven%20approach%2C%20security%20teams%20can%20work,cost%20reduction%2C%20competitive%20advantage%2C%20and%20other%20business%20objectives .
Reflection
In an increasingly digital world, cybersecurity is critical not only for protecting our systems but also preserving a safe way of life. As we embrace our identities shifting more online, where supply chains use information technology to manage their businesses, bill payments are done online and our Personal Identifiable Information (PII) is collected via wearable devices , there is a greater need for protection against the increased cyber attacks targeting our sensitive information. According to the latest report from the Identity Theft Resource Center’s (ITRC), cyberattacks in the US in 2023, increased by 78% compared to 2022, with 353,027,892 persons affected by these breaches (Maundrill, 2024).
The CSOL 550 class sought to address the complexity and challenges of balancing organizations’ objectives and responsibilities and with securing infrastructure, information, and resources. This course provided me with a deeper understanding of topics such as auditing and compliance, Disaster Recovery, and continuity management, having an effective cybersecurity team and the economics of cyber.
The artifacts I chose are closely aligned with my professional life. Last year, I experienced my first audit which exemplified the need for documentation, process improvement and an overall robust Information Management Security System (ISMS). Learning about auditing and compliance in this course, assisted in preparing me for this event.
The primary goal of Annex A 17.1 of the ISO 27001Framework is ensuring that the organization’s business continuity management systems include continuity measures for information security. The knowledge I assimilated on this topic through research and active engagement in class is not only invaluable but strategically aligns with the ISO 27001 requirements.
Before embarking on research about developing a cybersecurity team, I had never heard about the NICE Framework. After reading the NIST document, it made perfect sense to have a framework in place to assist employers in developing their cybersecurity workforce. The framework uses a common lexicon and encourages communication among cybersecurity stakeholders about how to identify, recruit, develop, and retain talent (National Institute of Standards and Technology, 2020). It is important for cybersecurity team members to be cohesive, collaborative, have varying skills and willing to impart knowledge with members in the team. I am fortunate to be part of such a team.
As a security professional, it is my duty to strive for continuous improvement, enhance my skills and ensure that the Information Systems Management Security (ISMS) is effectively protected against threats. I am also expected to uphold the organization’s ethical standards which are essential for guaranteeing a secure digital landscape.
References:
Maundrill, B. (2024, January 25). Data Privacy Week: US Data Breaches Surge, 2023 Sees 78% Increase in Compromises. Retrieved from Infosecurity Magazine: https://www.infosecurity-magazine.com/news/us-data-breaches-surge-2023/#:~:text=The%20number%20of%20reported%20data%20compromises%20in%20the,it%20represents%20a%2016%25%20decrease%20compared%20with%202022 .
National Institute of Standards and Technology. (2020, November). NIST Special Publication 800-181 Rev. 1 Workforce Framework for Cybersecurity (NICE Framework). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf