Project 4 Enterprise Cybersecurity Program Step 18 Record the Presentation
1
7
Urie L. Reed
Framework Enhancement Proposal
Dr. Roger Ward
CMP 640 Cyber Security Program Development
University of Maryland Global Campus
Enterprise Cybersecurity Program Step 5: Propose A Framework
For the organization's enterprise cybersecurity program to be successful, it is critical to establish a robust cybersecurity framework to work from. The company’s application might be built on various cybersecurity frameworks, including those produced by (ISO) and (NIST), among others. While both frameworks are sound and have been developed by industry-leading organizations, I feel that the NIST framework should be used instead. (NIST) the framework has been adopted and supported by the Department of Homeland Security (DHS). It is being used as a basis for developing standards for the Department of Homeland Security's critical infrastructure cyber-community program. It is an adaptable, reproducible, performance-based, and cost-effective framework in its design and implementation. The National Institute of Standards and Technology (NIST) Cybersecurity Framework was created to improve cybersecurity in the federal and private sectors.
The framework comprises three profiles: core, implementation, and tiers. Five essential components make up the foundation of the curriculum. The first step is to identify, which aids the organization in understanding its risk profile in terms of systems, people, processes, technology, assets, and data. The second step is to mitigate, which reduces the business's exposure to risk ("Appendix C: NIST preliminary cybersecurity framework," 2018). The second part is titled Protect, and it specifies the measures required to keep the organization's critical services safe and protected. Access controls are a type of precaution that is more commonly used. Third, Detect describes how the organization expects to identify cybersecurity incidents and how they will do so. Respond is the fourth category, and it defines how an organization reacts and responds to a cybersecurity crisis and the business's incident response plan in the event of a cybersecurity problem. It is important to note that the NIST Cybersecurity Framework is divided into levels of the robustness of risk management practices within an organization (Akpose, 2016). The final area is Recover, which describes how an organization recovers from a cybersecurity incident and returns to normal operations while keeping in mind to document how to ensure that this does not happen again. The framework is divided into four levels of complexity. Tier one organizations use a risk management methodology that is unsuccessful. They have a risk management method that is systemic, unreliable, and slow to respond to changing circumstances. Tier two organizations have a more informal approach to risk management (Blokdyk, 2019). Their risk management method is not thorough, immature, and insufficiently documented. A third-tier organization has established an orderly, robust, and routine risk management approach in their organization. Finally, a Tier four business has found and implemented a risk management process that is dynamic, responsive, and participatory. While the (NIST) Cybersecurity Framework offers a solid foundation for our company, some improvements may be made to the framework to meet our needs better.
NIST Cybersecurity Framework specifies and outlines how to correctly apply a foundational document's policy and technology components to develop a comprehensive and effective security program. In this framework, we outline the policy that an organization like ours must follow to inform, guide, and direct the implementation of the policy that must be followed to protect our network, detect threats, and respond to cyber-incidents, as well as the framework that must be followed to reply to these threats and attacks when they occur. Policy requirements for protecting our networks and systems include regulations such as separation of duties, least privilege, and minimum encryption standards to safeguard our data while it is at rest and in transit, to name a few examples (Blokdyk, 2019). Additional policies laid out in the document include those relating to the necessity to find vulnerabilities, the frequency with which vulnerability scans must be performed, and the access and security measures in place to secure and defend our organization. In addition, the framework describes the process and procedures to be followed in the event of a cybersecurity incident once it has taken place. The policy addresses developing and implementing disaster recovery and incident response strategies.
The National Institute of Standards and Technology (NIST) framework also describes the technical measures and controls required to meet the standards for protecting against, detecting, responding to, and recovering from cyber-incidents. They provide the requirements and methods for implementing technological controls such as firewalls, intrusion detection, and protection systems, and access controls, among other things (Brumfield & Haugli, 2021). Items such as patch management and ensuring that the most recent upgrades are implemented as part of the response to a cyber-incident from a technical standpoint. Installation of new software that aids in the removal of the vulnerability and ensures that it can no longer be exploited can also be included in the process. Restoration from backups or rolling back to a previous state where the vulnerability was not present are examples of technical measures that may be taken during the recovery phase.
Although the NIST framework is a good foundation for our organization, it does not address some specific issues that are relevant to our organization, such as the requirements for PCI-DSS and the policy requirements that arise from international organizations or laws, as well as the regulations that have been enacted regarding the protection of personally identifiable information (PII). Including these considerations in the framework that we will employ for our organization will be necessary. These are incredibly particular needs, but we should address and elaborate on a couple of broader problems to ensure that we have covered all of our bases and that we are as secure as possible.
While governance is briefly discussed in Identify, it should be elaborated on and thoroughly explored in more depth. As a result, we will need to put suitable governance structures in our financial sector. We will need to consider incorporating and putting in place a risk management technique that is both effective and efficient. Maintaining a comprehensive cyber-security policy will be essential for the foreseeable future. To guarantee that our cybersecurity program is successfully implemented, we will need to ensure that top individuals within our business have the resources and access they require. Designating relevant senior personnel and providing them with the help and access they need are essential steps.
As the importance of supply chain management grows, and the threat they pose to businesses grows, we must guarantee that this is taken into account. Identify is a minor line item in the book, but I believe it should be built upon in the same way governance has been. It is critical that we effectively manage risks that arise from our internal and external dependencies, such as our suppliers, consultants, and customers, to guarantee that we achieve our objectives (Brumfield & Haugli, 2021). We need to ensure that our organization, the financial services industry, and the entire recognized vital infrastructure are resilient in the face of disaster. Finally, we must make sure that we maintain, safeguard, and defend the entirety of our business environment since this is crucial to our long-term survival and growth.
Finally, let's build our cybersecurity program around the NIST framework, which covers the vast majority of the needs of our organization. We will be laying a solid basis for our organization's cybersecurity program. Incorporating the requirements to secure PCI-DSS with the policy requirements arising from international organizations or laws and the regulations arising around the protection of personally identifiable information (PII), we will be more secure and in compliance with international law and regulations. After all, is said and done, if we have a more robust system of governance and defense for our supply chain and business environment, our cybersecurity program will provide adequate protection.
References
Akpose, W. (2016). NIST cybersecurity framework: A practitioner’s perspective. 6igma Associates.
Appendix C: NIST preliminary cybersecurity framework. (2018). Cybersecurity, 715-725. doi: 10.1002/9781119369141.app3
Blokdyk, G. (2019). Nist cybersecurity framework a complete guide - 2019 edition. 5starcooks.
Brumfield, C., & Haugli, B. (2021). Cybersecurity risk management: Mastering the fundamentals using the NIST cybersecurity framework. John Wiley & Sons.