Every organization needs a cybersecurity plan and, while it may seem daunting, creating one may be easier than you think.
- First, you must fully understand the meaning of cybersecurity.
- Second, you need to learn what regulators, experts and others mean when they say you need a cybersecurity plan.
- Third, you build an effective cybersecurity plan.
1. Cybersecurity definitions: the easy step
The first step is easily accomplished by reviewing a few definitions.
Cybersecurity is the process of protecting information by preventing, detecting, and responding to cyber attacks.
A cyber attack targets an organization’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure; or destroy the integrity of the data or steal controlled information.
Cyberspace is more than just the Internet. It consists of interdependent network infrastructures including the Internet, telecommunications networks, computer systems and embedded processors and controllers.
A cyber event is a cybersecurity change that may have an impact on the organization’s operations, whereas a cyber incident is a cyber event which has had an impact on the organization, prompting the need for response and recovery.
For example: A security breach after a hack or an employee’s loss of an unencrypted USB key with confidential data are cyber incidents. In these two instances, the organization must respond to and recover from the hack or the loss of the USB key.
2. What’s in a cybersecurity plan?
The second step is trickier. Some organizations may not fully understand what a cybersecurity plan entails.
For instance, some may believe that all they need are procedures to respond or recover from a hack or other security breaches.
Protection beats reaction
Although security breach procedures are a key component of a cybersecurity plan, security breach procedures are primarily reactive as they are triggered after the horses have already left the gates.
What organizations need is to manage all the normal organizational activities which have the potential to increase or decrease the likelihood of a security breach; that is, a proactive plan or cybersecurity framework.
A cybersecurity framework is a complete set of resources including policies, procedures, technology, personnel and other resources used to assess and mitigate cyber risks, in compliance with the law and best practices.
You’ve probably already started
Your organization may already have several policies that affect cybersecurity; for example, policies on asset inventory, Internet use and password. You may also have a privacy officer, risk manager or IT manager.
The cybersecurity framework pulls all the various policies and resources together into a comprehensive structure to address cybersecurity.
This is why it can be easier than you think to create a cybersecurity plan: you may already have many of the components in place.
3. Creating your cybersecurity plan is an ongoing process
Building a solid cybersecurity plan may involve a lot of work, but you can divide it up into smaller, more manageable tasks by following these six steps:
- Board or board committee: Put cybersecurity on your board’s radar. The board should have oversight of cybersecurity.
- Cybersecurity risk assessment: The board should request a high-level cybersecurity risk assessment. This involves identifying the organization’s assets, systems, other resources and policies and identifying the cybersecurity risks associated with these resources.
- Reporting, review and next steps: Report on the findings of the risk assessment, review the results and plan next steps. The board should ensure that the organization addresses recommendations arising from the risk assessment.
- Form a cybersecurity committee: The board should ensure that there is a cybersecurity committee at the management level, to implement or improve the cybersecurity framework and liaise with the board or the board committee responsible for cybersecurity.
- Create a cybersecurity framework: The cybersecurity committee must ensure that the organization creates and organizes resources and written policies and procedures into a cybersecurity framework.
- Continuously improve and update: Cybersecurity requires ongoing attention to build organizational capacity. This involves regular effectiveness reviews, testing of policies and procedures and training and education for boards, management and employees.
This might take six weeks or six months, but the sooner you start the sooner you’ll be protected from potentially devastating cyber risks.
Key principles to follow in cybersecurity planning
A cybersecurity framework should include five core high-level functions for you to organize your cybersecurity activities and outcomes:
- Identify – Identify and understand the organization’s systems, assets, data and capabilities. This includes Asset Management, Risk Assessments, Governance and Supply Chain Risk Management.
- Protect – Develop and implement safeguards to mitigate cyber risks. This includes Access Control, Awareness and Training, Data Security, Information Technology Processes and Procedures, Maintenance and Protective Technology.
- Detect – Develop and implement policies and procedures to identify cyber incidents. Outcomes include Continuous Security Monitoring, Detection Processes, and identifying Anomalies and Events.
- Respond – Take corrective actions in response to a cyber incident. Outcomes include Response Planning, Communications, Analysis, Mitigation, and Improvements.
- Recover – Recovery procedures will help organizations to resume normal or safe operations after a cyber incident. Outcomes include Recovery Planning, Improvements and Communications.
Where to get help
You can find detailed guidance on cybersecurity and a sample cybersecurity policy that meets current compliance requirements and best practices in Information Technology PolicyPro, Not-for-Profit PolicyPro and Finance and Accounting PolicyPro, co-published by First Reference and Chartered Professional Accountants Canada (CPA Canada).
(Click the links to try any of them free for 30 days.)
Each policy is tailored to the audience of its manual and based on industry standards developed by the National Institute of Standards and Technology (NIST), particularly its Framework for Improving Critical Infrastructure Cybersecurity, which is currently under revision. NIST has mapped the core functions in its framework to COBIT 5 (Control Objectives for Information and Related Technologies), published by ISACA (previously, Information Systems Audit and Control Association).
These comprehensive policies will help you create and maintain a cybersecurity plan.