Chapter 7

The Cyber Security Program’s Strategic, Tactical, and Annual Plans

Abstract

The objective of this chapter is to establish the strategic, tactical, and annual plans for the cyber security organization. These plans will also set the direction for corporate’s cyber security program while integrating the cyber security plans into corporate’s plans, thus indicating that the cyber security program is an integral part of the corporation.

Keywords

Corporate annual business plan; Corporate format; Corporate’s strategy; Cost-effective method; Cyber security strategic plan; Cyber security tactical plan

Though this be madness, yet there is method in’t

William Shakespeare1

Chapter Objective
The objective of this chapter is to establish the strategic, tactical, and annual plans for the cyber security organization. These plans will also set the direction for corporate’s cyber security program while integrating the cyber security plans into corporate’s plans, thus indicating that the cyber security program is an integral part of the corporation.

Introduction

The saying “Ya gotta have a plan” definitely applies to successfully accomplishing the duties and responsibilities of a cyber security officer. Without strategic, tactical, and annual plans, the officer would be spending all of every day running from crisis to crisis and haphazardly trying to protect information and information systems for the corporation. In addition, these plans are the cost-effective method of providing a secure information environment for the corporation.
There will always be crises to contend with; however, even most crises can be planned for so that when they occur, an emergency plan can be implemented. The plan will provide at least guidance and an outline of what to do—not only what to do, but when and how to do it rapidly and effectively. Let’s face it: Most crises can be identified, and we are already accustomed to doing so through our disaster recovery and contingency planning for such events as fires, typhoons, and earthquakes. We should do the same for other events that would be classified as an emergency, such as, but of course not limited to, the following:
• Web-site attack and defacement,
• Denial-of-service attack,
• Worm or virus attack, and
• Other malicious attacks or accidents.
As a professional cyber security officer, when you learn of a new type of attack, check your emergency contingency plans and determine whether the latest type of attack would be addressed by one of those plans. If so, great! If not, then it’s time to develop another plan or update a current plan. By the way, as you should already know:
• These plans must be developed with input from various departments such as auditors, legal, and IT in a project team environment;
• They must be kept current; and
• They must be tested often to ensure that the identified emergency response team is trained and can operate effectively and efficiently.
As with the cyber security program, all plans should be placed online with read access for all employees. It will also be easier to keep the plans current, and through the intranet Website or through e-mail, everyone can be notified of changes to the plans. The cyber security officer should also have a project to ensure that information and systems protection policies and procedures are kept online for read access by all employees. The cyber security officer should consider, as much as possible, having a paperless cyber security program and cyber security organization.
At the corporate level, all information and systems protection plans are considered subsets of the cyber security program, as are all projects that are used to build the secure information environment.

Corporate’s Cyber Security Strategic Plan

To be successful, the cyber security officer must have a cyber security strategic plan). That plan should be integrated, or at least compatible, with corporate’s strategic business plan. It is this plan that sets the long-term direction, goals, and objectives for information protection as stated in the cyber security program, vision, mission, and quality statements.
Let’s look at an example of a possible strategic business plan of a corporation.
The corporate strategic business plan sets forth the following information:
• The expected annual earnings for the next 7 years;
• The market-share percentage goals on an annual basis;
• The future process modernization projects based on expected technology changes of faster, cheaper, and more powerful computers, telecommunications systems, and robotics;
• Corporate expansion goals; and
• Corporate’s acquisition of some current subcontractor and competitive companies.
The cyber security strategic business plan is the basic document on which to build the corporate cyber security program with the goal of building a comprehensive information protection environment at lowest cost and least impact to the company.
When developing the plan, the cyber security officer must ensure that the following basic cyber security principles are included, either specifically or in principle (since it is part of the cyber security strategy):
• Minimize the probability of a cyber security vulnerability,
• Minimize the damage if a vulnerability is exploited, and
• Provide a method to recover efficiently and effectively from the damage.
Let’s assume that the corporate strategic business plan called for a mature cyber security program within the next seven years that:
• Can protect corporate’s information while allowing access to its networks by its international and national customers, subcontractors, and suppliers and
• Can support the integration of new hardware, software, networks, etc., while maintaining the required level of cyber security without affecting schedules or costs.

The Cyber Security Strategic Plan Objective

The objectives of the plan are to:
• Minimize risks to systems and information,
• Minimize impact on costs,
• Minimize impact on schedules,
• Assist in meeting contractual requirements,
• Assist in meeting noncontractual requirements,
• Build a comprehensive systems security environment,
• Respond flexibly to changing needs,
• Support multiple customers’ information protection needs,
• Incorporate new technologies as soon as needed,
• Assist in attracting new customers, and
• Maximize the use of available resources.

Cyber Security Strategic Plan and Team Concepts, Communication, and Coordination

To have a successful cyber security program, the strategy calls for one that also deals with the office politics aspect of the corporate environment. A key element, which was stated earlier in this book, is to remember that the information and information systems belong to corporate, and not to the cyber security officer. Therefore, cooperation and coordination are a must!
Many functional organizations have an interest in the cyber security strategic plan and other cyber security program-related plans; therefore, the plans should be discussed with other team members such as the auditors, security personnel, human resources personnel, legal personnel, and others deemed appropriate.
The plan should also be discussed with and input requested from key members of the user community and corporate managers. After all, what you do affects what they do! It is a great way to get communication and interaction going. This will lead to a better plan and one that has broad-based support.
Their input and their understanding of what the cyber security officer is trying to accomplish will assist in ensuring corporate-wide support for the cyber security program. For only with this kind of communication and interaction, can the cyber security officer’s cyber security program succeed.

Cyber Security Strategic Planning Considerations

The planning considerations must include the following:
• Good business practices,
• Quality management,
• Innovative ideas,
• Cyber security vision statement,
• Cyber security mission statement,
• Cyber security quality statement, and
• Providing channels for open communication with others such as the auditors, systems personnel, security personnel, users, and management.
All these factors must be considered when developing a cyber security program strategy and documenting that strategy in the cyber security program.
The corporate process flow of plans begins with the corporate strategic business plan through the corporate annual business plan. Each plan’s goals and objectives must be able to support one another: top–down and bottom–up.
Once this process is understood, the next step is to map the cyber security strategic plan into the corporate strategic business plan goals and objectives.

Mapping Corporate’s Cyber Security Strategic Plan to the Corporate Strategic Business Plan

Corporate’s strategy identified the annual earnings for the next seven years as well as market-share percentage goals. This clearly highlights the need for a cyber security program that will be cost-effective.
As was previously mentioned, cyber security is a “parasite” on the profits of corporate if it cannot be shown to be a value-added function (one that is needed to support the bottom line). Therefore, the cyber security program strategy must be efficient (cheap) and effective (good). If that can be accomplished, the cyber security program will be in a position to support the corporate strategy relative to earnings and market share.
Mapping these points in a flowchart or similar management tool can help the cyber security officer visualize a strategy prior to documenting that strategy in the cyber security strategic plan. The mapping will also assist the cyber security officer in focusing on the strategies that support the corporate strategies.2

Writing the Cyber Security Strategic Plan

Writing the plan will come much more easily once the mapping is completed. Once that is accomplished, the cyber security officer will write the plan following the standard corporate format for plan writing.
The corporate format was determined to be as follows:
1. Executive summary
2. Table of contents
3. Introduction
4. Vision statement
5. Mission statement
6. Quality statement
7. Cyber security strategic goals
8. How the cyber security strategies support corporate strategies
9. Mapping charts
10. Conclusion

Corporate’s Cyber Security Tactical Plan

A tactical plan is a short-range plan (a three-year plan) that supports the corporate cyber security program and cyber security functional goals and objectives. The cyber security tactical plan should:
• Identify and define, in more detail, the vision of a comprehensive cyber security environment, as stated in the cyber security strategic plan;
• Identify and define the current corporate cyber security environment; and
• Identify the process to be used to determine the differences between the two.
Once that is accomplished, the cyber security officer can identify projects to progress from the current corporate cyber security environment to where it should be, as stated in the cyber security strategic plan. In the corporate tactical plan, it is also important to keep in mind:
• The company’s business direction,
• The customers’ direction, and
• The direction of technology.
Once these are established, the individual projects can be identified and implemented, beginning with the cyber security annual plan.
The corporate tactical business plan stated (again, using an example of a corporate plan), “In addition, it is expected to be able to integrate new hardware, software, networks, etc., with minimum impact on schedules or costs.” Therefore, it will be necessary to establish a project with the objective of developing a process to accomplish that goal.
The cyber security officer must then also consider that the corporate cyber security program must contain processes to reevaluate the mechanisms used to protect information so that it is protected only for the period required. Therefore, a project must be established to accomplish that goal.
The corporate tactical business plan also called for the completion of a cyber security program that can protect corporate’s information while allowing access to its networks by its international and national customers, subcontractors, and suppliers. Therefore, another project that must be developed is one that can accomplish this goal.

Writing the Cyber Security Tactical Plan

Writing the plan should be somewhat easier based on the experience gained in mapping the goals for the cyber security strategic plan and the corporate plans. Once that is accomplished, the cyber security officer will write the plan following the standard corporate format for plan writing.
The corporate format for the cyber security plan was determined to be as follows:
1. Executive summary
2. Table of contents
3. Introduction
4. Cyber security strategic goals
5. How the cyber security tactical plan supports the cyber security strategic plan
6. How the cyber security tactics support corporate tactics
7. Mapping charts (use an organization or flowchart if pictorial representation will help the reader under the approach used
8. Conclusion

Cyber Security Annual Plan

The cyber security officer must also develop a cyber security annual plan to support the corporation’s strategic business plan, cyber security strategic plan, and the corporate and cyber security tactical plans. The plan must include goals, objectives, and projects that will support the goals and objectives of corporate’s annual business plan.
Corporate’s cyber security annual plan is to be used to identify and implement projects to accomplish the goals and objectives as stated in all the other plans.
Remember, the cyber security program requires the following:
• Project management techniques,
• Gantt charts (schedule),
• Identified beginning date for each project,
• Identified ending date for each project,
• An objective for each project,
• Cost tracking and budget, and
• Identification of the responsible project lead.

Cyber Security Annual Plan Projects

The initial and major project of the cyber security officer’s annual plan is to begin to identify the current corporate and cyber security environment. To gain an understanding of the current corporate environment, culture, and philosophy, the following projects are to be established:
1. Project title: Corporate Cyber Security Organization
a. Project lead: Cyber security officer
b. Objective: Establish a cyber security program to support organization
c. Start date: January 1, 2016
d. End date: July 1, 2016
2. Project title: Cyber Security Program Policies and Procedures Review
a. Project lead: Cyber security officer
b. Objective: Identify and review all cyber security program-related corporate documentation, and establish a process to ensure integration, applicability, and currency
c. Start date: February 1, 2016
d. End date: April 1, 2016
3. Project title: Cyber Security Team
a. Project lead: Cyber security officer
b. Objective: Establish a corporate cyber security program working group to assist in establishing and supporting a cyber security program
c. Start date: January 1, 2016
d. End date: February 1, 2016
4. Project title: Corporate Proprietary Process Protection
a. Project lead: Cyber security organization systems security engineer
b. Objective: Identification, assessment, and protection of corporate proprietary processes
c. Start date: April 15, 2016
d. End date: September 1, 2016
5. Project title: Cyber Security Organizational Functions
a. Project lead: Cyber security officer
b. Objective: Identify and establish cyber security organizational functions and their associated processes and work instructions
c. Start date: January 15, 2016
d. End date: July 1, 2016
6. Project title: Cyber Security Support to IT Changes
a. Project lead: Cyber security organization systems security engineer
b. Objective: Establish a process to provide service and support to integrate cyber security policies, procedures, and processes as changes are made in the IT environment
c. Start date: March 15, 2016
d. End date: October 1, 2016

Mapping the Cyber Security Annual Plan to the Corporate Annual Business Plan

As was previously shown, mapping the cyber security program and the cyber security annual plan to the corporate annual business plan can be easily accomplished. However, in this case, the corporate annual plan objectives were not indicated or used to map the corporate plan.3

Writing the Cyber Security Annual Plan

As noted earlier, writing of the plans must follow the corporate format. The cyber security annual plan is no exception, and the following format is required:
1. Executive summary
2. Table of contents
3. Introduction
4. Cyber security annual goals
5. Cyber security projects
6. How the cyber security projects support corporate’s annual plan goals
7. Mapping charts
8. Conclusion

Questions to Consider

Based on what you have read, consider the following questions and how you would reply to them:
• Does your company have plans that can be considered strategic, tactical, or annual, for example, long-range or short-range plans?
• Have you read them?
• If not, how do you know you are providing adequate service and support to the company?
• Do you have strategic, tactical, and annual plans that support the company’s business plans?
• If so, are they current?
• How do you know?
• Do you have a process in place to keep them current?
• If not, why not?
• If you do have such plans, do you have a process in place and flowcharted to show how the plans, your information and systems protection functions, projects, risk management strategy, cost–benefit philosophy, and such are integrated into your cyber security program that supports the company’s plans?
• If not, why not?

Summary

Planning is a vitally important and cost-effective way to establish a cost-effective and quality corporate cyber security environment. It will help focus on tasks that will effectively and efficiently meet the planning goals and objectives of a cyber security program. As part of that planning, the cyber security officer should consider the following points:
• The corporate cyber security strategic, tactical, and annual plans must be mapped and integrated into the corporate strategic, tactical, and annual business plans.
• The cyber security program-related plans must incorporate the cyber security vision, mission, and quality statements and their philosophies and concepts.
• The cyber security program-related plans must identify strategies, goals, objectives, and projects that support one another and the corporate plans.
• By mapping the goals of the corporate plans with those of the cyber security program-related plans, the required information fusion can take place and can be graphically represented.
image
Figure 1 Depicts mapping of the goals of the corporate plan with those of the cyber security program where IWC stands for a generic corporation International Widget Corporation and CIAAP is the corporate information assurance annual plan.
• Mapping will make it easier for the cyber security officer to write the applicable cyber security plans.
• The cyber security annual plan generally consists of projects that are the building blocks of the cyber security program following the strategies and tactics of the corporate and other cyber security program plans. Figure 1 provides an example of mapping showing the relationship of plans. What, if anything, is lacking?

1 William Shakespeare (1564–1616), English poet and playwright. Polonius, Hamlet (1601), Act 2, Scene 2.

2 For those readers who are inclined to argue the technical definitions of terms, I concede that the definition of terms varies between corporations and those used here may not fit nicely into the definitions used by the corporation or government agency of the reader. However, the reader should not lose sight of the process being discussed. That is the important aspect of this chapter.

3 The reader probably understands this process by now and can easily use this mapping method.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset