Components to Include in Your Cybersecurity Program
Transcript
Question. An organization has a cyber security team. In effect, it’s putting together a whole program of cyber security. What should be the components of a good cyber security program for compliance purposes? So, my answer to that question draws from major laws in this area such as Gramm-Leach-Bliley and HIPPA in the United States, the general data protection regulation in Europe. When I look at those laws, I see major themes that the policy makers- law makers- have gravitated to. An important major theme is to identify a responsible officer and give that officer the appropriate authority within an organization to make things happen for cyber security and privacy purposes. So, for example, an organization might identify a Chief Information Security Officer and make sure that that security officer has the authority and resources to truly take the steps that are necessary to protect that organization from cyber security threats. Another very important theme from these compliance laws around the world is to adopt a risk-based approach to cyber security. A risk-based approach means that an organization evaluates or assesses risks. And even documenting to the appropriate degree. We have assessed these different kinds of risks and based on our assessment of the risks, we are now logically implementing these safeguards. Higher risks justify more effort for safeguards. So, the types of risks that might apply to a hospital for example could be very different from the kinds of risks that might apply to a public housing authority. So, a question that people ask is, “How do I understand which risks are more important?” That can include a lot of factors, but an important factor for understanding which risks are more important is to use human sensibilities. And human sensibilities for example, might inform a cyber defender that, “I’m protecting a public housing authority, and as a human being who understands these people who live in public housing, I’ve come to understand what they care about. They care about physical, postal address.” They care about locking that down because they consider, some of them, it a stigma to be in public housing and they don’t want the outside world to know about this, and therefore, our cyber defender realized that the physical postal address of an individual is a very sensitive piece of information therefore I need to put a lot of effort into protecting that information. So, among the different kinds of risks that cyber defenders should be evaluating as they are implementing their program for cyber security include risk to reputation of the organization, risk to the operations of the organization. Risks to customers or constituents. Those can include the risks of identity theft or stalking. But maybe for other organizations, risks related to cyber security can ultimately have an impact on the environment, that is climate emissions and other environmental types of concerns. But yet, for other kinds of organizations that might be part of critical infrastructure for example, the larger risks might be social risks, the risk to society or the risk to a city if critical infrastructure like a water treatment plant is attacked in some kind of a cyber-attack. So, these risks will vary from one organization to the next. But ultimately, I think and argue that a stronger security program will be one that is informed by risk and therefore it’s more likely to be in compliance with whatever laws, rules, and regulations might apply to the organization
Question. An organization has a cyber security team. In effect, it’s putting together a whole program of cyber security. What should be the components of a good cyber security program for compliance purposes? So, my answer to that question draws from major laws in this area such as Gramm-Leach-Bliley and HIPPA in the United States, the general data protection regulation in Europe. When I look at those laws, I see major themes that the policy makers- law makers- have gravitated to. An important major theme is to identify a responsible officer and give that officer the appropriate authority within an organization to make things happen for cyber security and privacy purposes. So, for example, an organization might identify a Chief Information Security Officer and make sure that that security officer has the authority and resources to truly take the steps that are necessary to protect that organization from cyber security threats. Another very important theme from these compliance laws around the world is to adopt a risk-based approach to cyber security. A risk-based approach means that an organization evaluates or assesses risks. And even documenting to the appropriate degree. We have assessed these different kinds of risks and based on our assessment of the risks, we are now logically implementing these safeguards. Higher risks justify more effort for safeguards. So, the types of risks that might apply to a hospital for example could be very different from the kinds of risks that might apply to a public housing authority. So, a question that people ask is, “How do I understand which risks are more important?” That can include a lot of factors, but an important factor for understanding which risks are more important is to use human sensibilities. And human sensibilities for example, might inform a cyber defender that, “I’m protecting a public housing authority, and as a human being who understands these people who live in public housing, I’ve come to understand what they care about. They care about physical, postal address.” They care about locking that down because they consider, some of them, it a stigma to be in public housing and they don’t want the outside world to know about this, and therefore, our cyber defender realized that the physical postal address of an individual is a very sensitive piece of information therefore I need to put a lot of effort into protecting that information. So, among the different kinds of risks that cyber defenders should be evaluating as they are implementing their program for cyber security include risk to reputation of the organization, risk to the operations of the organization. Risks to customers or constituents. Those can include the risks of identity theft or stalking. But maybe for other organizations, risks related to cyber security can ultimately have an impact on the environment, that is climate emissions and other environmental types of concerns. But yet, for other kinds of organizations that might be part of critical infrastructure for example, the larger risks might be social risks, the risk to society or the risk to a city if critical infrastructure like a water treatment plant is attacked in some kind of a cyber-attack. So, these risks will vary from one organization to the next. But ultimately, I think and argue that a stronger security program will be one that is informed by risk and therefore it’s more likely to be in compliance with whatever laws, rules, and regulations might apply to the organization