There is news about a cyberattack against a computer network or significant computer system almost every day. The response to these attacks inevitably leads to cybersecurity. The emphasis is then on the need for a cybersecurity plan and the long list of things that the organization should have done or needs to do to protect itself. The question is then, what is a cybersecurity plan?
The first point is that a cybersecurity plan focused only on cybersecurity will not help. A second issue is that not many agree on where cybersecurity begins or ends or what it consists of. System security is required, with cybersecurity controls embedded in the system security plan. The difference is the focus; cybersecurity looks at data security, access control, system monitoring, etc.; system security includes these cybersecurity controls and user training and education, risk management, physical security, and other system-wide security aspects.
The point is that system security is an all-hazards approach to security, emphasizing the integration and synchronization of different security areas into a single plan. An example of the need for this holistic approach is that 90 percent of successful cyberattacks are through email, and training is the most successful means of combating this. System security success is then the result of doing many things successfully.
As the requirements for system security grow due to the increasing threats, there is a corresponding requirement for businesses to protect their systems by establishing system security plans and implementing these best practices. There are many system security plan outlines, and depending on the industry, there are specific industry standards.
An example of a system security plan template is the SANS Institute, the SANS Security Policy templates. The system security plan template for federal and non-federal systems is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 for federal systems and NIST SP 800-171 for commercial or non-federal systems. The NIST standards are used to frame the Health Insurance Portability and Accountability Act (HIPAA), the Department of Homeland Security's system security plan, and other federal security requirements. Additionally, there are the International Organization for Standardization (ISO) standards. The most common is ISO 9001, which is a quality management process, and there is ISO 27001, which is an information security standard.
In broad terms, cybersecurity or system security should not be considered a single-purpose effort, with only one benefit meeting a certification requirement. The reality is that all businesses need to protect their information and information systems. When followed, any of the examples listed above will provide adequate security. All of these plans are designed to ensure three aspects of system security: availability, meaning the system and its information is available to appropriate users when it is needed; the integrity of information, or the assurance the information has not changed; and the confidentiality of the information, meaning the information has not been released.
A key goal in developing any system security plan is to meet adequate security requirements. Three general concepts frame adequate security. First is the acknowledgment that there is no such thing as perfect security. This means that it is impossible to be perfect and prevent all breaches or compromises. Secondly, adequate security is proportional to the value of the information, meaning the cost and effort that addresses security should be equal to the risk of a breach or compromise. Last, the plan should follow the best practices for the organization, which generally means using the industry-specific system security plan, which is often a business requirement.
Scrape away the technical and administrative requirements, and it is management buy-in and support that are essential elements in developing a system security plan. Meeting many of these requirements will often require business process engineering. All system security plans require institutionalization, which involves labor and system upgrades. These tasks require direct management involvement and the sustainment of company resources over the organization's life. The requirement is for system security, not only cybersecurity; the means to that end is through a holistic approach supported by the management throughout the organization.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.