Cybersecurity resilience



Figure 1 Source Pexels.com

The security issues with Facebook and Twitter highlight that build a strong cyber resilience management system is not easy. We have seen that such system involves both technical aspects and as well as human behaviors.
The scope of this article is to provide a brief overview of cyber resilience management in private organizations and public offices. Let's take a step back and start with the basics.

Definition

Some years ago, we could have thought about cybersecurity like something related to preventing unwanted accesses to information within the fence of a company. Hence, prevent not authorized people to access company information system has been historically a “job” for the IT personnel. In today world the situation is more complicated. Think about BYOD (Bring Your Own Device), or the possibility to cooperates with partners and suppliers. The borders are so extended that the decision makers should not ask the question "if" an accident may happen but "when" it will happen “how” the system will be able to detect it and quickly recover. Hence, today we talk about cyber resilience that is a wide concept that goes beyond IT. Companies and public offices need to establish a management system where are in balance both preventative and persuasive controls with recovery and repressive controls. Like every management system, it should include IT/IS infrastructure, organizational management, physical infrastructure management, supplier management, partners and customers management.

Cyber resilience management system

There are several standards and best practice collections that can help an organization to project its own cyber resilience system. For example:
  •         The ISO 27000 set of standards
  •          NIST (National Institute of Standard Technology), cybersecurity session
  •          COBIT 5

Most of the cyber security controls are related to IT, therefore, a best practice would be to align the management system with the already established one. The most recognized standard for IT service management is ITIL (Information Technology Infrastructure Library). Axelos, the company that manages it, has developed this approach with the new certification path called "Resilia, Cyber resilience best practices". This article is based on that approach.
If you are new about ITIL, these are the five steps to manage the lifecycle of a generic IT service:
  •          Service strategy: the first step is to define the strategy
  •          Service design: then the service is designed
  •          Service transition: change management processes take place, hand over to the operations team
  •          Service operations: here all controls are in place and managed by the operations team.
  •          Continuous improvement: this is where the actual service is reviewed and improved.

Strategy

The strategy definition of a cyber resilience management system is something that the CSO (Chief Security Officer) or the program manager needs to develop with senior management and executives. The first step is to gather the requirements and therefore to set the foundation that explains the “why” the organization needs such control system. Here you need to answer other questions including the creation of the mission and the vision for the cyber resilience.
The output should be the implementation of the company policies, people awareness, the governance that includes, for example, the financial side of the implementation of the cyber resilience management system.

Design

This is the phase where the strategy becomes tangible because is when the team designs the new controls. The scope of work includes:
  •         Business processes;
  •          Physical system (e.g., access control, endpoints like computers and mobile phones);
  •          IT systems and processes;
  •          An organization with roles and responsibilities;
  •          Company culture towards cyber resilience. 

A gap analysis should be done to understand what the current situation is and what is the desired status to achieve. The ISO 27001 standard could help with its checklist made by 114 points. There are many areas in the organization to consider, for example:
  •          Employment process through the life cycle, from hiring to termination;
  •          Suppliers management;
  •          Data management (e.g., data access, data modification, data storage, data transmission);
  •          Business continuity.

Where the IT services need to utilize XaaS type of resources, a useful source of information would be the Cloud Security Alliance.
The deliverables of this phase are the design of the services/controls that will transition into production.

Transition

The scope of this phase is to introduce the designed control in the operational environment. Hence, change management plays a significant role in these activities. Attention should be given to avoid business disruption during the transition phase, and risk management will help on this. The deliverables are:
  •          Configuration Management, including change management;
  •          Testing, including penetration testing;
  •          Documentation;
  •          Training.

At this stage, the test protocol should provide feedback about the expected performance.

Operations

Once the controls are in place and they protect the organization, the operation team takes care of the day to day business. An incident and problem management system together with a request fulfillment system should be in place. The organization manages several types of controls, for example:
  •         Preventative Controls (e.g., user access controls)
  •          Detective Controls (e.g., logs);
  •          Corrective Controls (e.g., backups);
  •          Deterrent Controls (e.g., term and conditions in the employment contract);
  •          Reductive Controls (e.g., recovery plan, configuration management system);
  •          Repressive Controls (e.g., IDPS - Intrusion Detection and Prevention System);
  •          Compensatory Controls (e.g., built-in redundancy).

One of the task for the technical team is to monitor the access log files and the network traffic. The details for log accesses should be different for a normal user or a superuser. In fact, the last one normally could create a higher damage to the organization. Another aspect to consider is that the organizations are not anymore isolated (e.g., process integration with suppliers, e-commerce portal). Hence, a good practice would be to terminate all external connection to a “demilitarized zone” that host public information and, from that point on allowing the access to the core network through a firewall that screens the traffic. 

Continuous improvement

A cyber resilience management system requires being aligned with the changes in technology and business environment (e.g., BYOD). A good practice would be to make a quarterly review of the system and to plan audits (internal and/or external). The source for improvement opportunities can be the incident log, users survey, or the audit report. The continuous improvement processes can follow the PDCA (Plan Do Check Act) lifecycle and aim for a maturity level according to a model such as CMMI (Capability Maturity Model Integration).

Conclusions


Cyber resilience is a new way of thinking about cybersecurity. It is not anymore, a question of "if" rather is "when" an attack will happen. Hence, the system should be designed to balance the preventative controls with detective and recovery controls. The system should be designed with in mind the "how" the organization can quickly recover after the detection of an incident. Cyber resilience is not anymore, and issue bounded purely with IT within the “walls of an organization” but it affects employees, suppliers, and partners. Therefore, it is important to plan an effective communication, create awareness among the stakeholders and manage risks holistically.

Popular posts from this blog

From Project Inferno to Phoenix: Rebooting a Critical Project Without Burning Bridges

Image
  We've all been there. A project you once saw brimming with potential has morphed into a multi-headed beast – months behind schedule and haemorrhaging hundreds of thousands of dollars. That's exactly what I inherited when I was assigned to lead the "Phoenix Project" (name a bit ironic at the time). Facing the Flames: Initial Assessment My first order of business was a thorough examination of the project landscape. I pored over documentation, interviewed stakeholders, and conducted deep dives into the team's workflow. The situation was grim. Scope creep had mutated the project's original goals, communication channels resembled a game of broken telephone, and morale was at an all-time low. The Sponsor's Scorched-Earth Solution During my initial meeting with the project sponsor, the tension was so thick you could cut it with a Gantt chart. As I presented my findings, his face contorted in frustration. Before I could even propose solutions, his response was ...
Read more

Building a Ferry Booking Marketplace: A Blueprint for Success

Image
  Introduction Imagine a world where planning a ferry trip to a Greek island or an Albanian coastal town is as easy as booking a flight. That's the vision behind our ferry booking platform. We're not just building a website; we're constructing a digital marketplace that will revolutionize ferry travel. This post will delve into the technical architecture, development strategy, and go-to-market plan for this ambitious project. 1. Architecture: A Foundation for Scalability A robust architecture is paramount to handle the expected influx of users and data. We'll adopt a microservices architecture for its flexibility, scalability, and resilience. This means breaking down the platform into smaller, independent services that can be developed, deployed, and scaled independently. Core Microservices : Booking engine, payment gateway integration, inventory management, user management, and analytics. Data Layer : A cloud-based, NoSQL database like MongoDB for flexibility and scal...
Read more

Projectizing Your Service Management Office: A Case Study in Automotive Parts

Image
  Imagine this: You're a leading automotive parts manufacturer, supplying critical components to global OEMs. Your service management office (SMO) is the unsung hero, ensuring seamless operations and customer satisfaction. Yet, amidst the complexities of the automotive industry, with its stringent quality standards and rapid technological advancements, your SMO is feeling the pressure. It's time to shift gears. The Challenge Your SMO is bogged down in reactive firefighting, struggling to keep up with the demands of a dynamic supply chain. Customer complaints are increasing, and there's a growing need for proactive problem-solving and continuous improvement. Your organization recognizes the potential of a project-based approach, but how do you translate this concept into tangible results? Project-Based Transformation The solution lies in projectizing your SMO. By breaking down service management into discrete projects, you can focus on specific challenges, measure outcomes, ...
Read more