Cyber Balancing Act
As Equifax Inc., discovered with its record $775 million dollar settlement with the Federal Trade Commission this July, focusing on business and profits alone can be costly (Federal Trade Commission, 2019). This settlement alone was not the only costs Equifax had from their loss of personally identifiable information of 175 million people in September of 2017. As the story unfolded over the last few years, a culture with lax cyber security practices was discovered and the result has been billions of dollars ($1.4 Billion as of May 2019) in losses and further investments to shore up consumer confidence (Schwartz, 2019). Clearly the balancing act had not been correctly proportioned toward cyber security and protecting Equifax from the risks of a catastrophic data breach. The management team may not have been aware of the risks, or the cyber security team may have been unable, or not concerned enough, to ensure that an emphasis on cyber security was balanced with profit and business operations.
In my course Management and Cyber Security, we focused on identifying what processes and engineering principles to follow and ensure both economically wise investments through strategic management support and written processes while improving my professional knowledge of management and cyber security roles and expectations and capability to ensure alignment with business goals. As in the case of Equifax, ensuring my C-Suite (CEO, CIO, CTO, CISO) are well informed and can make sound decisions to address cyber risks is one of my primary professional duties. Especially addressing cyber risks to the CISO and other cyber security oriented roles who need to know when risks may not be aligned with their understandings and expectations. Balancing my organizations strategic goals by creating tactically sound ways to address risk required an understanding of management, psychology, and experience writing policies and processes to ensure holistic understanding.
Our final project for this course was to draft and create an ISSP, or Information System Security Plan for a fictional company. An ISSP, or System Security Plan is critical to ensure that there is a balanced and structured approached to address cyber risks. The federal government provides resources for doing this for cloud service providers and for federal agencies (General Services Administration, 2018). In addition, organizations like SANS Institute provide their own resources and templates to create a System Security Plan for companies (SANS Institute). However, all plans must be tailored to the organization they address, which is what I provide here, a final from my course, an ISSP, attached below.
In the ISSP we look at how an organization addresses the threats facing the company, as well as the risks to the company's information security data and systems. Identifying laws, regulations, and compliance standards related to the company data allows an organization to categorize and rate the risks and impact of information compromise. Additionally, hiring qualified personnel, and ensuring that business continuity and disaster recovery planning are addressed allows an organization to survive if, or when, disaster strikes. Creating a dedicated role with qualified personnel who are accountable for cyber security in the organization allows a communication channel between information technology and senior executive. Finally, architecting a secure enterprise architecture and implementing appropriate cyber security tools and processes and maintaining them allows an organization to ensure that they are prepared for cyber breaches.
References
As Equifax Inc., discovered with its record $775 million dollar settlement with the Federal Trade Commission this July, focusing on business and profits alone can be costly (Federal Trade Commission, 2019). This settlement alone was not the only costs Equifax had from their loss of personally identifiable information of 175 million people in September of 2017. As the story unfolded over the last few years, a culture with lax cyber security practices was discovered and the result has been billions of dollars ($1.4 Billion as of May 2019) in losses and further investments to shore up consumer confidence (Schwartz, 2019). Clearly the balancing act had not been correctly proportioned toward cyber security and protecting Equifax from the risks of a catastrophic data breach. The management team may not have been aware of the risks, or the cyber security team may have been unable, or not concerned enough, to ensure that an emphasis on cyber security was balanced with profit and business operations.
In my course Management and Cyber Security, we focused on identifying what processes and engineering principles to follow and ensure both economically wise investments through strategic management support and written processes while improving my professional knowledge of management and cyber security roles and expectations and capability to ensure alignment with business goals. As in the case of Equifax, ensuring my C-Suite (CEO, CIO, CTO, CISO) are well informed and can make sound decisions to address cyber risks is one of my primary professional duties. Especially addressing cyber risks to the CISO and other cyber security oriented roles who need to know when risks may not be aligned with their understandings and expectations. Balancing my organizations strategic goals by creating tactically sound ways to address risk required an understanding of management, psychology, and experience writing policies and processes to ensure holistic understanding.
Our final project for this course was to draft and create an ISSP, or Information System Security Plan for a fictional company. An ISSP, or System Security Plan is critical to ensure that there is a balanced and structured approached to address cyber risks. The federal government provides resources for doing this for cloud service providers and for federal agencies (General Services Administration, 2018). In addition, organizations like SANS Institute provide their own resources and templates to create a System Security Plan for companies (SANS Institute). However, all plans must be tailored to the organization they address, which is what I provide here, a final from my course, an ISSP, attached below.
In the ISSP we look at how an organization addresses the threats facing the company, as well as the risks to the company's information security data and systems. Identifying laws, regulations, and compliance standards related to the company data allows an organization to categorize and rate the risks and impact of information compromise. Additionally, hiring qualified personnel, and ensuring that business continuity and disaster recovery planning are addressed allows an organization to survive if, or when, disaster strikes. Creating a dedicated role with qualified personnel who are accountable for cyber security in the organization allows a communication channel between information technology and senior executive. Finally, architecting a secure enterprise architecture and implementing appropriate cyber security tools and processes and maintaining them allows an organization to ensure that they are prepared for cyber breaches.
References
- Federal Trade Commission. (2019, July 24). Equifax Data Breach Settlement. Retrieved July 27, 2019, from https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
- General Services Administration. (2018). Developing a System Security Plan (SSP). Retrieved July 27, 2019, from https://www.fedramp.gov/developing-a-system-security-plan/
- SANS Inc. (n.d.). SCORE: Checklists & Step-by-Step Guides. Retrieved July 29, 2019, from https://www.sans.org/score/checklists/system-security-plan
- Schwartz, M. J. (2019, May 13). Equifax's Data Breach Costs Hit $1.4 Billion. Retrieved July 27, 2019, from https://www.bankinfosecurity.com/equifaxs-data-breach-costs-hit-14-billion-a-12473