Cybersecurity Governance and Why It’s an Indispensable Element of Effective Cybersecurity Planning
Posted on May 16, 2023 by Jason Franks
Every organization should have a cybersecurity program to prevent — ideally — and mitigate cyberattacks. This is especially true of public safety and justice organizations that increasingly find themselves in the crosshairs of cyberattackers.
It can be well argued that every such program should have at its foundation the cybersecurity framework developed by the National Institute of Science and Technology (NIST). The framework has five distinct functions that are based on a plethora of standards, guidelines, and best practices, as follows:
- Identify — develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
- Protect — develop and implement the appropriate safeguards to ensure the delivery of services
- Detect — develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
- Respond — develop and implement the appropriate activities to take action regarding a detected cybersecurity event
- Recover — develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Expansion of NIST Cybersecurity Framework: Cybersecurity Governance
Now NIST is working to expand the framework by adding a sixth function concerning cybersecurity governance, which is an overarching function that takes into account the original five functions. This effort is expected to be completed in the second half of next year. NIST taking this action underscores the importance of effective governance and should grab the attention of every information-security officer working in the public sector.
Think of cybersecurity governance as the rules of the road. Before they were established, driving an automobile was a haphazard and often dangerous experience — chaos was the norm and crashes were a daily experience. Today, in an information-technology world marked by the constant threat of cyberattacks, cybersecurity governance provides a holistic framework for developing policies that make the environment less hazardous.
The essential elements of effective cybersecurity governance beyond those identified by NIST’s framework include the following:
- Password/passphrase management — This policy ensures that passwords and passphrases are sufficiently complex and are changed at regular intervals.
- Impact assessment — If a network or system was rendered inoperable due to a cyberattack, this policy would consider the impact the event would have on the organization’s ability to fulfill its mission.
- Acceptable use — This policy would ensure that staff members are using the organization’s assets appropriately. For example, staff members might be prevented from plugging personal USB devices into their laptops because those devices might contain malware of which the user is unaware.
- Social media — This policy would provide guidance regarding the opening of email attachments, how to recognize and avoid phishing scams, and the like to prevent a staff member from unwittingly unleashing malware into the network or system and making it operational.
- Training — This policy would establish a regular rhythm of training exercises to ensure that all members of the organization, from leadership on down, are adhering to all cybersecurity governance policies.
Common Mistakes in Developing Cybersecurity Governance
A common mistake that organizations make when developing cybersecurity governance is that they look too inwardly and don’t consider the vulnerabilities that vendors inadvertently and unwittingly create when they access networks and systems.
For example, it is common for vendors to leave ports open when they finish maintenance work. When that happens, cyberattackers are presented with an entry point into the network or system. Once inside, cyberattackers navigate laterally in search of other vulnerabilities that can be exploited, often for months at a time. The organization needs a policy within its governance that quickly identify such events and mitigate them before a breach occurs.
Another example concerns multiple vendor personnel using the same password or passphrase to gain access to a network or system — the more people using a password or passphrase, the less effective it becomes, with the result being an exponential rise in cyberattack risk.
MCP’s cybersecurity team is adept at crafting effective cybersecurity governance and has done so for numerous clients — so please reach out. We would welcome the opportunity to help you strengthen your cybersecurity posture.
Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.