Chapter 8
Establishing a Cyber Security Program and Organization
Abstract
The objective of this chapter is to describe how to establish a corporate cyber security program and its associated organization. A “what-if” approach is used in which a corporate security officer is shown to act in a certain way based on what is required of him or her by corporation in which that person is employed, using a fictional corporate environment.
Keywords
Corporate cyber security program; Corporate information officer (CIO); Corporation overall policy document; Formal project management techniques; Information environment (IE); Off-site cyber security program; Strategic business plan (SBP); Tactical business plan (TBP)We trained hard, but it seemed every time we were beginning to form up into teams, we would be reorganized. I was to learn later in life that we tend to meet any new situation by reorganizing
Petronius Arbiter1
The objective of this chapter is to describe how to establish a corporate cyber security program and its associated organization. A “what-if” approach is used in which a corporate security officer is shown to act in a certain way based on what is required of him or her by corporation in which that person is employed, using a fictional corporate environment.
Introduction
The corporation’s information and information systems are some of their most vital assets. These valuable assets must be consistently protected by all the corporation employees, contracted personnel, associate companies, subcontractors, and, in fact, everyone who has authorized access to these assets. They must be protected regardless of the information environment, whether through faxes, telephones, cellular phones, local area networks, Internet e-mails, hard copies, scanners, personal digital assistants (PDAs)—any device that processes, transmits, displays, or stores the corporation’s sensitive information. What is meant by sensitive is all information that has been determined to require protection. That determination is based on basic, common business sense—for example, a marketing plan for next year’s product must be protected, and it doesn’t take a risk assessment to determine that. Some information must also be protected because there are laws that make that information protection a requirement—for example, private information about employees.
To provide that consistent protection, those individuals who have authorized access to the information and information systems must therefore do the following:
• Be provided with guidance,
• Understand how to apply information asset protection,
• Understand why such information asset protection is required, and
• Understand the corporation policy regarding that protection.
The corporation’s executive management had decided that a policy document was needed. So, the corporation’s cyber security officer was hired primarily to fulfill that requirement as stated in the corporate plans, such as the corporation strategic business plan.
Corporate Cyber Security Program2
The cyber security officer knew that to successfully protect the corporation’s information-related assets there must be formal guidelines and directions provided to the corporation’s employees. There must also be some formal processes that are used to ensure that the corporation’s information assets were protected effectively and efficiently—in other words, “cheap and good.” It would be obvious to the corporation’s management and the cyber security officer that to do otherwise would cause employees to protect these information-related assets as they saw fit, or not protect them at all. Such was almost the case now, and it is hoped that the cyber security officer would know there was an urgent need to quickly establish a cyber security program.
The cyber security program would be developed taking into consideration or incorporating the following:
• Reasons for the cyber security program;
• The corporation’s vision, mission, and quality statements;
• Information and systems legal, ethical, and best business practices;
• The corporation’s strategic, tactical, and annual business plans;
• Information and systems protection strategic, tactical, and annual business plans;
• The corporation’s overall information assets protection plans, policies, and procedures as directed by the corporate security office;
• Cyber security vision, mission, and quality statements;
• Current cyber security program-related policies;
• Current cyber security program-related procedures; and
• Other topics as deemed appropriate once the cyber security officer and the cyber security project team have established the baseline.
The cyber security program cannot be developed in a vacuum if it is to work. The input of others is a necessity: The cyber security program, if not done correctly, may have an adverse impact on the business of the corporation. Remember that the cyber security officer’s cyber security functional organization must be a service- and support-driven organization. As part of that endeavor, the cyber security program must support the corporation’s business plans. It then follows that the plans call for certain actions to protect the corporation’s vital information and information systems assets.
Remember what is being discussed here are the plans, processes, policies, and procedures (P4) that are established, implemented, and maintained as applying to all the corporation departments (P4 because as each of the “P’s” is added to the others, protection baseline increases exponentially). This should not be confused with the cyber security officer’s cyber security organization’s plans, policies, and procedures, such as work instructions and processes that apply strictly within that cyber security organization.
As the cyber security officer, one of your first tasks is to obtain a copy of the corporation cyber security program that was to be established by the prior cyber security officer. You may find that:
1. There is no such document,
2. The current one is not really current at all and needs updating, or
3. To your shock and amazement, the corporation cyber security program is current and an excellent document.
Of the three options, which would you prefer and why? Actually, there are benefits to all of the options, but they are listed in our preferred order. Does it seem strange that one would not opt for option 3? The one you choose will probably be based on where you are coming from and where you are going (your education and experience). OK, no more riddles.
Option 1 has some benefits. If there is no such document as the corporation cyber security program by any name, one can “do it right the first time” and develop one that meets the needs of the corporation using your own tried and true methods. However, the less experience you have, the more difficult it will be to do it right the first time. If you are new to the corporation cyber security officer position, it may be doubly difficult and a real problem. No, not a problem, because you are now in a high management position. These are not called problems. They are called challenges.
Having a corporate cyber security program that has been approved by those who must approve it (executive management) has some benefits, of course. “Approve it?” you say. “Why does anyone have to approve it? I am the cyber security officer, the security professional, the expert in the business. I know what I am doing. I don’t need any nonsecurity people out there playing amateur information systems security expert.” Great! That may have worked in the past, maybe in the times of the hunter–gatherers—but not now.
Here’s the issue: As the cyber security officer, you are going to establish a cyber security program that will affect everyone and everything in the corporation in one form or another, since information systems permeate all levels of the corporation and the corporation cannot function without them. You are new to the corporation and really don’t have a good handle on how information assets protection policies and procedures affect the corporation business of making widgets. You may have a great way to protect a certain, sensitive corporation information-related asset, but find that if it were implemented it would slow down production. That is not a good idea in the competitive, fast-paced, global marketplace in which the corporation competes for business. That may get you a warning first, but then you’ll be fired (as was the case of the last cyber security officer?); or it may increase costs in other ways (slowing down production is a cost matter also).
Option 2 also has some very good advantages, especially for the cyber security officer who has less experience in the profession and/or less experience at the corporation. The advantage is that you have a framework on which to build, essentially changing it to how you envision the final baseline. However, as with option 1, some caution is advised. Option 2 allows you, as the new cyber security officer, the opportunity to see what executive management has authorized to date. In other words, you know how much “protection” the executive management of the corporation will allow at what expense to productivity, costs, etc.
This is important also because if you increase security, you must provide sound, convincing business reasons that should happen. In this cause, you have an edge because of the previous loss of the corporation information assets, which caused the firing of the former cyber security officer. In addition, the chief executive officer (CEO) is supportive in that the strategic business plan and the tactical business plan both have cyber security program goals, and those plans had to be approved by the CEO prior to implementation. Thus, the cyber security program already has high visibility and at least some executive management support. However, that honeymoon may not last long if you require protection mechanisms that aren’t backed by sound business sense.
Option 3 is great if you are new to the cyber security officer position and/or lack confidence or experience in cyber security program development. However, caution is also needed here, because information assets were lost and the former cyber security officer was fired. You must get answers for the following questions:
• Did the information assets protection processes as set forth in the cyber security program leave a vulnerability that allowed the threat agent to take advantage of it?
• Was the cyber security program not the issue—did someone or some group fail to follow proper procedures?
• Was the cyber security officer just not the right person for the job at the corporation? (If this is the case, find out why so you don’t make the same mistake, assuming you want to work for the corporation for more than a year or two.)
As the new cyber security officer, you should find the answers to these questions and then determine how the cyber security program can be enhanced to mitigate future attacks. The benefit of a current cyber security program is that it has received the concurrence of executive management—but remember, it may be a bad plan. After all, what does executive management know of cyber security program matters except what the cyber security officer tells them, aside from the “common sense” knowledge?
Let us assume that no corporation cyber security program is in existence. So, the cyber security officer must start from the beginning. Actually, that is not entirely true. As an experienced cyber security officer, the corporation cyber security officer has brought knowledge and experience to the corporation cyber security officer position. In addition, there are always some sort of information and information systems protection policies and guidelines available. It may be just a matter of gathering them all together for analysis as part of establishing the cyber security program baseline.
In addition, the cyber security officer has swapped and collected cyber security program plans from other cyber security professionals over the years that may prove useful. Several words of caution:
• Never take another’s cyber security program (or any documents) without the approval of his or her appropriate corporate authority. Such plans may be considered and marked as corporate–confidential, corporate–private, corporate–proprietary, or the like. There is an ethics issue here.
• Furthermore, the other cyber security programs may be outdated or may not meet the needs of the corporation, perhaps because of technology changes, a different corporate culture, or a different corporate environment.
Using formal project management techniques, the cyber security officer decides to establish a cyber security program project team and selects a project lead, leads the team, or has the group select their own project lead. If the cyber security officer’s cyber security organization has one or more specialists in information assets protection policies and procedures, then one of those specialists would be the natural one to head up the project team. Other team members should include those within the cyber security organization who are responsible for each of the functions of the cyber security organization.
These team members would not be used full time on the project, but would represent the cyber security functions and provide input as deemed appropriate by the cyber security program project team leader. The cyber security officer decided to use only specialists from the cyber security organization at this time to speed up the draft of the baseline cyber security program’s primary document—that which contains the requirements and P4. To do otherwise—to add auditors, information technology (IT) staff, human relations specialists, legal staff, etc.—would invariably cause too much time to be taken in discussing such matters as policies being too restrictive or not restrictive enough, leading to a slowdown or committee paralysis. The cyber security officer determined that coordination would be done upon establishment of the initial draft document.
Let’s now assume there is a plan in place with outdated portions. The cyber security officer, who has already read the document and does not agree with some of the requirements in it and who sees other requirements that are obviously lacking, should first meet with the specialist currently responsible for the cyber security program and that person’s manager (the assumption is that there are some cyber security staff already employed and that someone in the current cyber security organization has responsibility for the cyber security program—or equivalent plan or program). The main purpose of the meeting would be to determine why it is not current and discuss the rationale for all the requirements stated in the document. It may be that some portions were deleted because of executive management objections. These must be identified, because it is of little use to update the cyber security program if it is to meet resistance and rejection when it is briefed to and coordinated with executive management.
If the cyber security officer determines that there was resistance and disapproval of some aspects of the cyber security program, then the cyber security officer should look at that issue first. The approach the cyber security officer will use is to establish another cyber security project team, which will conduct a limited risk assessment related to the identified issues: management’s rejection of some much-needed information assets protection requirements. The risk assessment is limited to a specific objective: determining the risks to a specific asset, the costs of mitigating that risk, or the rationale for the requirement. It is also limited in time. For each of these issues in which different information assets and departments have been involved, such as manufacturing and marketing, a separate, limited risk assessment will be conducted.
The results of the limited risk assessments will then be provided as part of a formal briefing to the vice president of that particular department, and a copy of the report will be given to the corporate information officer (CIO). The copy to the CIO (the cyber security officer’s boss) will be given just to ensure that the CIO is in the communications loop and because a copy will be available for use when briefing the CEO and the executive management team on the new cyber security program and its changes. The limited assessment will be part of the backup documentation for the briefing. The cyber security officer reasons that a copy to the CEO would not be a good idea at this time, because then the cyber security officer would have to explain what it is and why the CEO has it.
The CEO does not currently understand how the new cyber security officer operates, and now is no time to take away from the priority cyber security program project management to provide a “for your information” report to the CEO. Some cyber security officers may think that such things help the cyber security officer gain visibility and show the “great” things that the cyber security officer and cyber security staff are accomplishing. However, it may have the opposite affect, as the CEO would ask questions:
• Why do I have this?
• What is it?
• What am I to do with it?
• Do I have to make a decision now based on it?
What is your reply as the cyber security officer? “Oh, I just thought you would enjoy reading it because I know you are not that busy; you don’t have better things to do; my stuff is so much more important than what you do to run the corporation; and no, you don’t have any action items that come from this. I just want to show you what a great job I’m doing.” That will work in getting you recognized—but for all the wrong reasons and in the wrong way.
The limited risk assessment will state the risks, the mitigation factors, and the estimated costs of the increased protection of that particular asset or set of information assets. If the vice president of that department, who is also the person immediately responsible for the protection of that information asset or assets, does not concur with the increased protection, then the vice president must formally accept the risks in writing on the last page of the report and send it back to the cyber security officer.
The acceptance of risk statement reads as follows: I have reviewed the findings of the limited risk assessment conducted by members of the corporation cyber security staff. I understand the potential loss of, or damage to, the corporation information assets under my care that may occur if additional protective processes are not put in place. I accept that risk.
You will probably find that most people will be unwilling to sign such a document or will try to delay signing and hope the issue is forgotten. The cyber security officer can never let that happen. To resolve that issue, a reply of concurrence or nonconcurrence will be set forth in the document with a suspension date. If no reply is forthcoming by that date, the report states that additional safeguards will be put into effect no later than a specific date because of the failure of the action person to sign the document. A nonreply is taken as a concurrence.
Often the executive will try to find a way out of the dilemma and “negotiations” will take place in which various options will be examined, other than those already stated in the report. The cyber security officer cannot say no to such a request: To do so would allow the executive to say that the cyber security officer was not being cooperative, was not a team player, had a “take it or leave it” attitude. At the same time, this negotiation cannot go on indefinitely. If a roadblock is reached, then the executive and the cyber security officer should agree that the matter be discussed at a meeting with the CIO and/or CEO.
The corporation CIO would probably be wondering if there was some other way out of it. The CIO thinks: “Here this cyber security officer hasn’t even been in the job a month, and already I’m getting involved in conflicts.” The CIO does not like becoming involved in conflicts.
As a side note, no matter what final decision is made, the cyber security officer’s performance review and probably merit raise may be affected because the cyber security officer was not able to resolve the issue (even though the fault was that of others). The cyber security officer could have resolved the issue by just allowing the other vice presidents or managers to have it their way. However, the cyber security officer knows that also contributed to the previous cyber security officer being fired. It is a no-win situation, but that’s life as a cyber security officer. For the cyber security officer to do otherwise is unprofessional and an ethics issue.
The Corporate Cyber Security Program—Requirements
In developing a cyber security program, one must first look at the requirements that drive the formation of policies, which lead to procedures, which turn into processes to be followed by all those having authorized access to the corporation information and information systems assets.
Requirements, also known as cyber security drivers, are those laws, regulations, common business practices, ethics, and the like on which the policies are based. The policies are needed to comply with the requirements; the procedures are required to implement the policy; and the processes are steps that are followed to support the procedures.
The Corporate Cyber Security Program—Information Assets Protection Policies
When discussing information assets protection policy, we define it as a codified set of principles that are directive in nature and that provide the baseline for the protection of corporate information assets.
The corporate information assets protection policies are a series of policies that deal with the protection of various information assets categories within the corporation. These policies make up a major portion of the cyber security program, as they are the protection “rules.” They are the first building blocks of the corporation information assets protection environment. Information assets protection policies are the foundation for a cyber security program. It is crucial that they:
• Cover all information assets that must be protected,
• Cover all aspects of information assets protection,
• Do not have any loopholes that could contribute to vulnerabilities,
• Be clearly written,
• Be concise,
• Take into account the costs of protection,
• Take into account the benefits of protection,
• Take into account the associated risks to the information assets,
• Are coordinated with executive management and others as applicable,
• Are concurred in by executive management and others as applicable,
• Are actively supported by executive management and all employees, and
• Include a process to ensure that they are kept current at all times.
One cannot state these requirements too strongly. They are the key to a successful cyber security program. If it is not stated in writing, it does not exist. After the information assets protection policies are established and approved in accordance with the corporation requirements (executive management approval for all policies that affect the entire the corporation), the information contained in the policies must be given to all corporate employees. This will be done through the corporation cyber security program education and awareness training program.
A key process that the cyber security officer must establish is one that will maintain all information assets protection policies in a current state. Because this is a crucial function, the cyber security officer has assigned one staff member full time to ensure that the policies are current at all times and ensure that when changes are considered, they are properly coordinated, and the information is dispensed to all employees as soon as possible. After all, the changes may just be procedural, or they may mitigate a risk to some valuable corporation information assets.
The cyber security officer’s focal point for information assets protection policies is the central cyber security person to collect information that adversely affects the protection of information and information systems. That adverse information is analyzed by the focal point, with help from others as needed, to determine if policies must be added or modified to help mitigate the adverse effects—vulnerabilities—identified. If so, such changes are done based on a cost–benefits approach to mitigating the identified vulnerabilities.
For the position of an information assets protection policy specialist, the cyber security officer has chosen a person already employed by Human Resources (HR). This was done after interviews and looking at the experience of the cyber security staff. None of the cyber security staff were qualified or interested in such a position: The cyber security staff saw it as being a “nontechie paper shuffler” job. The cyber security officer purposely looked for a qualified employee within the corporation, since that person would already be familiar with the corporation culture and processes—basically, how things were done at the corporation.
The cyber security officer was able to get this new position approved by the HR Department and rated at a sufficiently high position level to attract the best candidates. The cyber security officer’s rationale was to rate all new positions at as high a level as possible, so the cyber security officer could attract the best candidates in the corporation or outside the corporation. Such a position would be seen as a promotion by many in the corporation. This was not an easy task, but the cyber security officer had experience in working with HR specialists. The task was not as difficult as it might have been—and once had been for the cyber security officer.
The person hired had worked in an HR office and whose duties included writing HR policy and procedures documents, coordinating document approvals, and maintaining the corporation documentation library. The individual responded to a corporation “vacant position” announcement that was available to all employees through the online HR network.
The job description for the Cyber Security Specialist was developed by the cyber security officer based on past experience. The person was not actively recruited within HR, as this violated the corporation policy—people cannot actively try to “steal” employees from one another. As well as violating corporate policy, it is unethical.
One person who responded to the vacancy announcement had two years of experience at the corporation and had a bachelor’s degree in journalism, but no cyber security or information assets protection experience. The cyber security officer wanted someone who could write and coordinate policies and procedures as the first priority and could secondarily learn about cyber security-related matters. The incentive was that the position was a promotion from the person’s previously held position, and the person would be the lead in this function, rather than “just another employee” in the HR organization.3
At the corporation, the cyber security officer developed an administrative document architecture in which there was an overall information assets protection policy document followed by the other assets protection policy documents. The corporation overall policy document (Information Assets Protection Policy Document 500-1, also known as IAPPD 500-1) begins with a letter from the corporation CEO to show employees that this program was supported by the CEO:
To: All Corporation Employees
Subject: Protecting the Corporation’s Information Assets to Maintain Our Competitive Edge through a Corporate Cyber Security Program
We are a leading international corporation in the manufacturing and sales of widgets. Today, we compete around the world in the global marketplace of fierce competition. To maintain a leadership position and grow, we depend first and foremost on all of you and provide you the resources to help you do your jobs to the best of your ability. You are vital to our success.
It is the policy of the corporation to protect all our vital assets that are the key to our success, and among these are our information-related assets. These include information, automated manufacturing tools, technology, information- and systems-driven processes, hardware, software, and firmware that we all rely upon to be successful. You and these other vital corporation information assets must be able to operate in a safe environment, and our resources must be protected from loss, compromise, or other adverse effects that affect our ability to compete in the marketplace.
It is also corporation policy to depend on all of you to do your part to protect these valuable information-related assets in these volatile times.
The protection of our information assets can be accomplished only through an effective and efficient cyber security program. We have begun an aggressive effort to build such a program.
This directive is the road map to our corporate cyber security program and the continued success of the corporation. In order for the cyber security program to be successful, you must give it your full support. Your support is vital to ensure that the corporation continues to grow and maintain its leadership role in the widget industry.
(Signed by the corporation President and CEO)
It is crucial that the CEO lead the way in the support of the protection of the corporation information assets. To get the preceding statement published, the cyber security officer relied on the policy cyber security staff member to draft a statement for the CEO to sign. The cyber security officer reasoned that it is always better to write a draft for someone to ensure that what is published meets the needs of the cyber security program and the corporation. The statement was drafted after reviewing numerous other documents and speeches made by the CEO to ensure that the words and format used were consistent with what the CEO normally signed.
The draft was edited by the cyber security officer and then coordinated by the cyber security officer with the Director of Corporate Security, since this had to do with the corporation assets. The Director of Security had no issues with the policy and in fact was happy that the cyber security officer was aggressively moving forward on this matter. In addition, the Director of Security believed that the cyber security officer pushing forward would eventually benefit the Security Department. Furthermore, if the cyber security officer ran into trouble with executive management, the Director could see how far the cyber security officer was able to go in meeting the information assets protection objectives. He likened the cyber security officer to a lead scout going through the corporation’s executive management minefield. It would help the Director to politically choose his ground. After all, the Director was “old school.” He didn’t care much for computers, and he had no problem letting the cyber security officer take on the cyber security matters while the Director concentrated on more “mundane” security matters while awaiting his time for retirement in another four or five years.
Because the draft was going to the CEO, it was also reviewed and edited by the cyber security officer’s boss, the CIO. It was then sent to the CEO’s public relations staff and legal staff for editing and subsequently presented to the CEO by the cyber security officer accompanied by the CIO, who was always concerned when the cyber security officer was involved in anything that brought CEO visibility to any aspects of the CIO’s department.
The cyber security officer accomplished another objective toward building a cyber security program for the corporation. The letter signed by the CEO was just one part of it. The cyber security officer also got support from the CEO to aggressively attack the vulnerabilities problems, because the CEO did not object to the assessment approach briefed by the cyber security officer as part of the cyber security program philosophy. That “hidden agenda” was used to initiate a more proactive effort that the Director of Audits and the cyber security officer had agreed to prior to the cyber security officer’s meeting with the CEO. This tacit approval allowed the cyber security officer to establish a more proactive and aggressive cyber security program. All this may seem a little devious but not unethical—or is it? Do the results outweigh the tactics used to gain those results? You be the judge.
The cyber security policy document had a coordination note attached that showed all those who had seen the document (CEOs rarely sign anything relating to corporate business without input from the staff). If the cyber security officer had just made an appointment with the CEO and asked for concurrence on the document, the cyber security officer would undoubtedly be asked if the CIO had seen it, had it been coordinated with his (cyber security officer’s) staff, etc. The cyber security officer would have said no, wasting the CEO’s time and the cyber security officer’s time. The CEO would never sign off on the document without CEO staff input. The whole incident would make the cyber security officer look foolish and unprofessional, and perhaps feel a little insecure, as though the CEO did not trust the cyber security officer.
One key factor is missing here. Do you know what it is? Would the CEO have signed the document without seeing the draft policy directive, IAPPD 500-1? The answer is probably yes. This is because the cyber security officer ensured that the letter was written without alluding to or identifying any “attached policy document” or any other document, for that matter. Why is this important? It is important because this document is timeless and can be used as a stand-alone document. The cyber security officer thought that it could also be attached to any information assets protection policy directive and would help enforce the policy directive because anyone would assume that the CEO’s signed document is supporting the policy directive to which it is attached.
The fact is, it is probably true that the CEO would support the policy directive: That directive could not have been published and implemented without following the corporation directive publishing process. This process, as stated in the corporation directive HRD 5-17, includes directions as to proper coordination with applicable departments that would be affected by the directive.
The next day, the cyber security officer happened to be in discussion with the cyber security policy specialist around the coffeepot. They discussed the CEO’s approval of the document, and the cyber security officer thanked the specialist for a great job.4 The specialist said “Thanks” and also said, “You know, of course, that it is corporation policy that letters, regardless of who signs them, have no more than a 90-day life span? That policy was put in place because many executives and other managers were writing policy ‘letters’ to circumvent the coordination process for directives. So, these policy letters proliferated at the corporation. No one knew what was current and what wasn’t, and many failed to follow the letters because ‘they didn’t work for that person’ (the person who signed the letters). So, the letters were ignored. The last thing that the corporation needed was a bunch of letter policies flowing around and being ignored. That left the entire corporation atmosphere full of conflicts, some chaos, and an attitude of flouting any rules that one didn’t like. In fact, that contributed to our loss of information assets, the firing of managers, including your predecessor. So, you don’t want to end up starting that mess all over again. Do you?”
The cyber security officer didn’t know that and was glad that the right person had been hired for the information assets protection policy specialist position. It’s funny how things sometimes work out better than expected. An “cyber security techie” in that position would probably not have known that valuable piece of information.
The cyber security officer thought about what the information assets protection policy specialist had said. The cyber security officer wanted to keep to a minimum any objections to the information assets policy directives.
So, the cyber security officer directed that a copy of the CEO’s signed document be attached to any information assets protection policy document the cyber security officer was trying to get through the coordination process, published, and implemented. The cyber security officer also included a note on the coordination sheet that stated: The attached document is an implementation document to meet the corporation information assets protection program requirements as stated in the CEO’s document. The cyber security officer was very satisfied with this approach and also directed that the CEO’s letter be changed to a formal directive and so instructed the cyber security policy specialist. That directive, the cyber security officer reasoned, should not require any coordination because the CEO had already signed it. This was the case, and the CEO’s letter became the corporation’s IAPPD 500-1. Therefore, all other policy directives flowed from that overall directive—the CEO’s memo-directive.
The cyber security officer directed that a project, with the cyber security policy specialist as the project lead, be established and implemented. The objective was to bring all information assets protection policy directives up to date. This would require all the corporation policy directives related to information assets protection to be reviewed, updated, coordinated, republished, and placed online, and that all briefings, training, and other processes be updated accordingly. The cyber security officer also directed that the project lead should prioritize the directives according to the following schedule:
• Directives that did not currently exist but must be developed to address the protection of various information assets and
• Directives that were the most outdated (continuing to those that were the least outdated).
The cyber security officer reasoned that outdated directives were better than no information assets policy directives, because where some were needed and did not exist, the information assets were more vulnerable. Although the missing directives would take the longest to get implemented, they were the most important. The cyber security officer also directed the information assets protection policy project team, with the policy specialist as the project lead, to do as much as possible in parallel. Those requiring the least amount of work could be done faster, and every updated directive was another victory in the war to protect corporate information assets.
War? The choice of words was used in all seriousness. The cyber security officer and the staff must get on a “war footing” and not treat their professional duties as some 9-to-5 job. Corporate information assets are being attacked from inside and outside the corporation, from within the home nation-state, and by competitors and nation-states from around the world on a 24/7 basis. This corporation was no exception, and in fact because of its leadership role in the widget industry, it was probably more at risk than some other the corporations.
The cyber security officer directed that all policy directives be limited to specific issues. The cyber security officer reasoned that to develop one large policy directive that covered all aspects of the corporation’s information assets protection needs was not a good idea. Do you agree? Before answering, think about it from an employee’s perspective. The employee has a job do to as a specialist in a chosen profession. Employees are not, nor do they want to be, cyber security specialists. To assist them in at least complying with the cyber security program, the “KISS” principle (keep it simple, stupid) should always be applied.
An employee who wants to do the right thing and comply with all the corporation directives and information assets protection directives is part of the group. Let’s say the employee works in a marketing group. If there were just one large policy document, the employee would look at this monster and might be intimated by its size. The employee does not need to know about many of the information assets’ protection requirements—for example, those that pertain to the manufacturing environment. Yes, one could do keyword searches if the documents are online, but in all probability, pertinent information would be scattered throughout the document. With the capability of putting documents online and maintaining them online, it is easy in today’s word processing environment to just cut and paste applicable portions of other information assets protection documents that apply to more multiple information environments.
Many employees have lost patience trying to read through such large—and boring—documents. Let’s face it, even cyber security professionals get bored reading cyber security documents. Ironically, some cyber security personnel never read the entire series of cyber security-related documents unless they have to, or unless someone embarrasses them by pointing out that they (cyber security personnel) are violating their own cyber security rules!
Topic-oriented information assets protection policy documents can be developed, coordinated, and implemented faster. In addition, employees can easily determine which directive to search for guidance without reading volumes. Also, one large directive would be almost constantly in a state of change because of various aspects requiring changes at different times.
The cyber security officer directed that, as a minimum, individual information assets policy directives were to be established to provide guidance for the protection of the following corporate information assets5:
• Overall information assets protection (CEO’s signed letter);
• Information valuation, marking, storing, distribution, and destruction;
• Information processed, displayed, stored, and transmitted by information systems on the corporation’s intranet;
• The corporation’s telecommunications systems and voice mail;
• Cellular phones, PDAs, and pagers;
• Fax machines;
• Teleconferencing;
• Printers and scanners;
• Automated manufacturing;
• E-mail;
• Vital, automated records; and
• Violations of information assets protection policies, procedures, and processes.
The Corporate Cyber Security Program Requirements and Policy Directive
The corporation cyber security program directives followed the standard format for the corporation policies and included the following:
1. Introduction, which included some history of the need for cyber security at the corporation;
2. Purpose, which described why the document existed;
3. Scope, which defined the breadth of the Directive;
4. Responsibilities, which defined and identified the responsibilities at all levels, including executive management, organizational managers, systems custodians, IT personnel, and users. The Directive also included the requirements for customers’, subcontractors’, and vendors’ access to the corporation systems and information.
5. Requirements, which included the requirements for:
a. Identifying the value of the information;
b. Access to the corporation systems;
c. Access to specific applications and files;
e. Reporting responsibilities and action to be taken in the event of an indication of a possible violation;
f. Minimum protection for the hardware, firmware, and software6; and
g. Cyber security procedures at the corporation department and lower levels.
Physical Security and Cyber Security Program Policy
The physical security functions for the most part fall under the Security Department. It was agreed by the Director of Security and the cyber security officer that the physical security program, as it related to cyber security, was to remain under the purview of the Security Department; however, those aspects related to cyber security would be coordinated with the cyber security officer or his or her designated representative.
The technical countermeasures program relating to emanations of systems’ signals or covert signals that may be placed in the corporation’s sensitive processing areas had been initially placed under the purview of the cyber security officer; however, the Director of Security apparently became concerned because the systems permeate the corporation, which appeared to give the cyber security officer a great deal of authority.
The cyber security officer’s authority, which the Director equated to power, over physical security as it related to systems facilities was relinquished by the cyber security officer. The cyber security officer’s rationale was:
• It showed the executive management and the Director of Security that the cyber security officer was interested in getting the job done right and not who had the authority to do it;
• This move, coupled with the cyber security procedures responsibility placed on the corporate management, gave clear indications to everyone that the cyber security officer was interested in getting the job done in a cooperative effort in which cyber security responsibilities belonged to everyone in a true team effort; and
• It took a heavy responsibility off the shoulders of the cyber security officer. The cyber security officer was no longer responsible for the physical security aspects; thus, the cyber security officer’s attention could be directed to more technical aspects of the cyber security program—those more enjoyable to the cyber security officer.
The agreement reached by the cyber security officer and Director of Security was for the Security Department to be responsible for:
• Control of physical access to information systems throughout the corporation;
• Physical access control badge readers to areas containing sensitive information-processing activities;
• Physical disconnects of all systems-processing information so sensitive that the information could not be processed outside specified areas;
• Review, analyses, and action related to physical access control audit trails; and
• Control of physical access of all visitors, vendors, subcontractors, customers, and maintenance personnel and the escorting of such personnel into sensitive information-processing areas.
The Corporation Cyber Security Program—Cyber Security Procedures
Over the years, the cyber security officer has had experience in several the corporations. The cyber security officer learned that the best way to provide an updated cyber security program is to begin at the highest level and work down. This form of information assets protection evaluation, analysis, and improvement is based on the fact that information assets protection is driven and must be supported from the top down. Therefore, the cyber security officer began with the overall corporation assets protection requirements (drivers), followed by the information assets protection policies. Once they were in place, those related procedures that were already in place were analyzed and projects established to update them and develop new ones where needed.
Each information assets protection policy requires compliance by those identified in the policy directives. Each of these directives requires one or more procedures to be established so that there is a standard method used to support and implement the policies, including their spirit and intent. The information assets protection directives previously discussed require procedures to be established to comply with those directives. For example, what procedures should be used to determine the classification to be given a piece of information: corporation–trade secret, corporation–sensitive, corporation–proprietary? Some procedures may be written for everyone in the corporation to follow, while various departments may write others based on their unique information environments.
There are various opinions as to how best to go about developing procedures. One continues to get to a more detailed level as one goes from requirements (drivers) to policies to procedures. The main issue is this: If the cyber security officer establishes a specific procedure to comply with a specific policy, which in turn assists in meeting the corporation goals as stated in the corporate strategic business plan, tactical business plan, and annual business plan, the procedures may not be practical in one or two of the corporation’s departments. The department head may so state and may ask for a waiver saying that they can still comply if they have a different procedure that takes into account their unique working information environment. There may be more than one department with similar complaints. So, how does the cyber security officer ensure that people are following proper information assets protection procedures to comply with the information assets protection policies?
The cyber security officer has found that the best way to do this at the corporation is to require that the individual departments establish, implement, and maintain their own set of information assets protection procedures that comply with the policies. This has several benefits:
• Having each department write its own procedures helps enforce the philosophy that information assets protection is everyone’s responsibility.
• There will be fewer complaints and requests for waivers because one or more of the corporation’s departments cannot comply with the procedures as written by the cyber security officer’s staff. This benefits the cyber security officer, as tracking waivers may turn into a nightmare—who has what waivers, why, and for how long.
• The departments can develop procedures that meet their unique conditions and because of that, the procedures should be more cost-effective.
• The cyber security officer and his or her staff will save time and effort in writing and maintaining information assets protection procedures. To be blunt—it’s the departments’ problem. However, the cyber security officer has offered to make cyber security staff available to answer questions and to provide advice as to what should be in the documents. This was done in the spirit of providing service and support to the corporation employees. The liaison contact for the cyber security officer would of course be the cyber security policy specialist.
The question then arose as to how the cyber security officer could be sure that the procedures written by each department meet the spirit and intent of the policies. Two methods were identified:
• The cyber security staff, as part of their risk management processes, would conduct limited risk assessment surveys, and as part of those surveys, the procedures would be reviewed. The limited risk assessments would indicate how well the procedures in place help protect the corporation information assets under the control of each department or suborganization.
• The corporation’s audit staff would compare the procedures with the policies during their routine audits. The Director of Audits agreed to conduct such reviews, since that department is responsible for auditing compliance with federal, state, and local laws and regulations and the corporation’s policies and procedures anyway. It also helped that since the cyber security officer’s arrival, the cyber security officer and the Director of Audits met and agreed to monthly meetings to share information of mutual concern. The cyber security officer learned long ago that cyber security personnel have very few true supporters in helping them to get the job done, but auditors were one of them.
Procedures, along with their related processes, are the heart of a cyber security program because they provide the step-by-step approach for employees as to how to do their work and also ensure the protection of corporate information assets. And if the departments write their own procedures, they become actively involved as valuable team members in the process of protecting the corporation’s valuable information assets.
Cyber Security Officer Thought Process in Establishing the Cyber Security Organization
The cyber security officer also knew that a staff of cyber security specialists would be required because of the large size and geographical locations of the corporation systems and associated facilities. What the cyber security officer had to determine was how many specialists and what types were needed and how the cyber security officer’s organization should be structured. Although there was a group of cyber security specialists that made up the corporation’s cyber security organization that the cyber security officer inherited, they were disorganized and had been sort of “thrown together” by the previous cyber security officer, who was not employed long enough to get around to properly organizing the group.
The corporation cyber security officer must, in parallel to establishing a cyber security program baseline, also begin the task of establishing a cyber security program-related organization. The cyber security officer decided that the sole purpose of the organization was to lead and support the cyber security program. Therefore, the cyber security officer intended to provide an “umbilical cord” between the cyber security program and the cyber security officer’s organization. After all, without some form of cyber security program, no cyber security organization would be necessary. In doing so, the cyber security officer needed to understand:
• The limits of authority,
• The amount of budget available, and
• The impact of establishing a cyber security program on the corporation—the culture change.
The cyber security officer also had to determine how to find qualified people who could build and maintain a cost-effective cyber security program. The staff must also be able to develop into a cyber security team in which everyone acts and is treated as a professional. The corporation cyber security officer wanted a group of cyber security professionals who were very talented, yet could leave their egos at the door when they came to work (not an easy task for very talented people).
The cyber security officer also had to consider that building an empire and a massive, bureaucratic organization would not only give the wrong impression to the corporation management, but would also be costly. Furthermore, the cyber security officer had to build an efficient and effective cyber security organization, as required by the corporation and as stated in the numerous plans. After all, wasn’t that one of the implied conditions of employment?
Building a bureaucracy leads to cumbersome processes, which lead to slow decision cycles, which cause the cyber security program to have an adverse impact on costs and schedules, which leads to a cyber security program that does not provide the services and support needed by the company. This snowballing effect, once started, would be difficult to stop. And if stopped, it would require twice as long to rebuild the service and support reputation of the cyber security officer, the cyber security staff, and the cyber security program.
In developing the cyber security program organization, the cyber security officer also had to bear in mind all that was discussed with the corporate management and what was promised. These included:
• The corporation’s history, business, and competitive environment;
• Mission, vision, and quality statements;
• The corporation and cyber security program plans; and
Determining the Need for Cyber Security Subordinate Organizations
The cyber security officer must determine whether subordinate cyber security organizations are needed. If so, a functional work breakdown structure must be developed to determine how many subordinate organizations are needed and what functions should be integrated into what subordinate organizations.
The corporation’s cyber security officer reviewed the cyber security officer’s charter and cyber security program focus previously agreed to by the cyber security officer and executive management. That charter included the following cyber security program functions:
• Requirements, policies, procedures, and plans;
• Hardware, firmware, and software cyber security evaluations;
• Technical security countermeasures (function subsequently transferred to the Security Department);
• Cyber security tests and evaluations;
• Information system processing approvals;
• Access control;
• Noncompliance inquiries;
• Telecommunications security;
• Risk management;
• Awareness and training; and
• Disaster recovery/contingency planning.
The cyber security officer analyzed the plans, functions, number of systems, and number of users and determined that two subordinate organizations would be needed to provide the minimum cyber security program professional services and support.
Actually, the cyber security officer thought of dividing the functions into three organizations, but the need for one of those was borderline. Also, having three suborganizations might give the wrong impression to others in the corporation (one must always remember perceptions and appearances when building a cyber security program and organization). It would also provide another level of administrative overhead burden that would not be cost-effective. The cyber security officer reasoned that the two subordinate organizations would suffice for now; the organizations could be reevaluated at the end of the first year’s operation.
The cyber security officer decided to brief the CIO (the boss) on the plan. The CIO thought it was reasonable, but wondered how the cyber security officer would handle the off-site locations in the United States, Europe, and Asia.
As with any good plan, nothing ever runs completely as expected. Being an honest and straightforward cyber security officer, the only logical comeback was “Huh?” The CIO went on to explain that their global locations are manufacturing sites making final or subassemblies of the widgets and shipping them to the main plant or global customers, as applicable.
The cyber security officer asked the CIO how other organizations handled the off-site. The CIO explained that they have smaller, satellite offices to provide the service and support needed at that location. The cyber security officer determined that before deciding on the need for a satellite office, the problem should be further evaluated. The cyber security officer explained to the CIO that the evaluation would be conducted within a week and a decision made at that time.
The cyber security officer subsequently determined that to provide quality services and support to the off-site locations, small cyber security organizations with dedicated staff should be in place at all facilities. This would replace the current staff, who, as an additional duty assigned by on-site facility executive managers, had to serve as part-time cyber security persons. This decision was based on several considerations:
• Conversations with managers of other organizations who had satellite offices at the off-site location, relative to how they handled the problem;
• Conversations with managers of other organizations who did not have satellite offices at the off-site location, as to how they handled the service and support requirements;
• Conversations with off-site facility executive managers;
• An analysis of the off-site locations’ information systems configurations and processing;
• Information flow processes; and
• The cyber security program needs of each location.
Based on the analysis, the cyber security officer determined that cyber security program satellite offices were indeed necessary, but some functions could be supported from the corporate office, such as risk management, policy development, and requirements.
The cyber security officer informed the CIO of the decision and the basis for the decision, emphasizing its cost-effectiveness. The CIO agreed based on the business logic shown by the cyber security officer, the minimal number of cyber security staff needed, and what the CIO sensed as the cyber security officer’s strong commitment to the cyber security program using a lowest cost/minimum risk approach.
The number of people in any working group tends to increase regardless of the amount of work to be done
Cyril Northcote Parkinson7
Developing the Cyber Security Program Organization Structure
Based on the cyber security officer’s analyses, the cyber security officer established the cyber security program organization—at least on paper.
The cyber security officer found that establishing the cyber security program organization to date had been the easy part. Now came the bureaucracy of coordinating and gaining approval of the cyber security program organization from the designated organizations, such as organizational planning, HR, and facilities, as well as completing their and other organizations’ forms.8
A word of caution to the cyber security officer: Some service and support organizations are more interested in proper completion of the administrative bureaucracy than in helping their internal customers. Just grin and bear it. You can’t change it, except over time, and now is not the time. The priority is getting the cyber security program and the cyber security organization off the ground. Concentrate on that priority.
Developing the Cyber Security Program Subordinate Organizations
The cyber security officer determined that the subordinate organizations must also have charters that identify the cyber security program functions that are to be performed by the staff of those organizations. The cyber security officer further determined that to recruit managers for the subordinate organizations was premature. The cyber security officer reasoned that what was needed first was professional cyber security personnel who could begin the actual program work. The cyber security officer would manage all the organizations until such time as the workload and cost-effectiveness considerations determined that a subordinate manager or managers were needed. Based on the work to be performed, and the analyses discussed above, the cyber security officer developed the charters for the subordinate organizations. In the interim, the cyber security officer used a matrix management approach with the off-site facility managers who were responsible to the CIO for overall information and information systems management.
Responsibilities of Cyber Security Program Subordinate Organizations
Cyber Security Program Access Control and Compliance
The cyber security officer is the acting manager of the cyber security program Access Control and Compliance subordinate organization.
The following is the summary of the position:
Provide the management and direction and conduct analyses required to protect information processed on the corporation’s information systems from unauthorized access, disclosure, misuse, modification, manipulation, or destruction, as well as implementing and maintaining appropriate information and information systems access controls; conduct noncompliance inquiries; and maintain violations tracking systems.9
Detailed accountabilities include:
1. Implement, administer, and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of the corporation’s information.
2. Monitor user access control systems to provide for the identification, inquiry, and reporting of access control violations. Analyze system access control violation data and trends to determine potential systems’ security weaknesses and report to management.
3. Conduct inquiries into cyber security program violations/incidents and related cyber security program business practices, corporation policies, and procedures. Identify the exposures/compromises created, and recommend to management corrective and preventive actions.
5. Establish and manage an information systems defensive system, including firewalls and related intrusion detection systems.
6. Provide advice on and assistance with the interpretation and implementation of cyber security program policies and procedures, contractual cyber security program requirements, and related documents.
Cyber Security Program Policy and Risk Management
The cyber security officer is the acting manager of the cyber security program Policy and Risk Management subordinate organization.
The following is the summary of the position:
Provide the management and direction and develop, implement, and maintain cyber security program policies and procedures, awareness, disaster recovery and contingency planning, cyber security program system life cycle processes, cyber security tests and evaluations, risk management, and cyber security program technical security and related programs to protect the corporation systems and information.
Detailed accountabilities include:
1. Identify all cyber security program requirements needed and develop the corporate policies and procedures necessary to ensure conformance to those requirements.
2. Evaluate all hardware, software, and firmware to ensure conformance to cyber security program policies and procedures, recommend modifications when not in conformance, and approve them when in conformance.
3. Establish and administer a cyber security tests and evaluations program to ensure compliance with systems’ security documentation and applicable cyber security program requirements.
4. Establish, implement, and maintain a cyber security technical program to identify all electronic threats and mitigate those threats in a cost-effective manner.
5. Establish and maintain a cyber security awareness program to ensure that the corporation management and users are cognizant of cyber security program policies, procedures, and requirements for the protection of systems and information and their related threats.
7. Establish and maintain a disaster recovery/contingency planning program that will mitigate cyber security program, corporation information, and systems’ losses and ensure the successful recovery of the information and systems with minimal impact on the corporation.
Off-Site Cyber Security Program Organizations
The cyber security officer is also the acting manager of the off-site cyber security program subordinate organizations. However, the cyber security officer has determined that it will be necessary to appoint a person as a supervisor to manage the day-to-day operations of the off-site cyber security program. At the same time, there are not enough personnel, as stated by HR, to appoint a manager at each off-site location. However, the supervisor has authority to make decisions related to that activity, with several exceptions. The supervisor cannot counsel the cyber security program staff, evaluate their performance (except to provide input to the cyber security program manager), make new cyber security program policy, or manage budgets.
The following is the summary of the position:
Implement, maintain, and administer a cyber security program for the corporate resources at the off-site location and take the actions necessary to ensure compliance with the cyber security program requirements, policies, and procedures to protect the corporation’s information from compromise, destruction, and/or unauthorized manipulation.10
Detailed accountabilities include:
1. Implement and administer the corporation’s plans, policies, and procedures necessary to ensure compliance with stated the corporation’s cyber security program requirements for the protection of all information processed, stored, and/or transmitted on the corporation’s information systems.
2. Administer a cyber security tests and evaluations program to ensure that all the corporation’s information systems are operated in accordance with appropriate cyber security program requirements and contract specifications.
4. Identify information systems’ business practice irregularities and security violations/infractions; conduct detailed inquiries; assess potential damage; monitor the corporation management’s corrective action; and recommend preventive measures to preclude recurrences.
5. Administer a cyber security education and training awareness program for all the corporate managers and users of the corporation’s information systems to ensure they are cognizant of information systems’ threats and are aware of the cyber security program policies/procedures necessary for the protection of information and information systems.
6. Represent the cyber security program manager relative to all applicable corporation cyber security program matters as they apply to personnel, resources, and operations at the off-site location.
7. Provide advice, guidance, and assistance to management, system users, and systems’ custodians relative to cyber security program matters.
8. Perform other functions as designated or delegated by the cyber security program manager.
Cyber Security Job Descriptions
After establishing and gaining final approval for the cyber security organization, and while trying to begin establishing a formal, centralized cyber security program, the cyber security officer determined it was now time to begin hiring some cyber security professionals.
However, before that could be accomplished, and in accordance with the corporation organizational development and HR requirements, a cyber security job family first had to be established. After all, the corporation, being a high-tech, modern corporation, requires that employees be assigned to career families to support their career development program as directed by the HR Department. And, unfortunately, it seems that cyber security functions have never been a formal part of the corporation. Therefore, there are no job families that seem to meet the needs of the cyber security program functions.
The cyber security officer and the HR representative discussed the matter and agreed that the cyber security officer would write the cyber security functional job family descriptions. The cyber security officer was told that they must be generic, so they are flexible enough to support several cyber security job functions within each level of the job family. The HR representative advised the cyber security officer that this is necessary to ensure the flexibility needed for recruiting, hiring, and subsequent career development of the cyber security professionals. Also, it would streamline the process and ensure that the number of cyber security job family position descriptions could be kept to a minimum, thus also decreasing bureaucracy and paperwork.
At the conclusion of the meeting, the HR representative provided the cyber security officer with the job descriptions for the security, auditor, and IT job family. Also provided were several forms that had to be completed when submitting the cyber security job family descriptions, as well as forms to be used for documenting each job family description by grade level.
Armed with the challenges of this new onslaught of bureaucratic paper, and bidding adieu to the smiling HR representative, the cyber security officer headed back to the office to begin the task of writing the corporation’s cyber security job family as sample descriptions (while wondering when there would be time to do real cyber security program work).
After reviewing the provided job descriptions and reading the paperwork needed to make this all happen, the cyber security officer wrote and provided the HR representative with the function descriptions of the cyber security job family! After several iterations and compromises, and approvals through a chain of organizational staffs, the job family was approved.
Cyber Security Job Family Functional Descriptions
The following detailed cyber security job family functional descriptions were developed and approved by the applicable corporation departments:
1. Systems Security Administrator
Position summary: Provide all technical administrative support for the cyber security organization.
Duties and responsibilities:
a. Filing.
b. Typing reports and other word processing projects.
c. Developing related spreadsheets, databases, and text/graphic presentations.
Qualifications: High school diploma, 1 year of security administration or 2 years of clerical experience. Must type at least 60 words per minute.
2. System Security Analyst Associate
Position summary: Assist and support cyber security staff in ensuring all applicable corporation cyber security program requirements are met.
Duties and responsibilities
a. Support the implementation and administration of cyber security software systems.
c. Identify current cyber security program and cyber security functional processes and assist in the development of automated tools to support those functions.
d. Assist in the analysis of manual cyber security program and cyber security functions and provide input to recommendations and reports of the analyses to the cyber security officer.
e. Maintain, modify, and enhance automated cyber security functional systems of cyber security tests and evaluations, risk assessments, software/hardware evaluations, access control, and other related systems.
f. Collect, compile, and generate cyber security program functional informational reports and briefing packages for presentation to customers and management.
g. Perform other functions as assigned by the cyber security officer and cyber security management.
Position requires being assigned to perform duties in one or more of the following areas:
• Access control—Maintain basic user access control systems by providing processes and procedures to prevent unauthorized access or the destruction of information.
• Access control/technical access control software—Assist access control support groups and systems by providing software tools and guidance to ensure adequate implementation of access control systems in meeting cyber security program requirements, as well as defensive systems such as firewalls and related intrusion detection systems.
• Access control/violations analysis—Monitor the use of the corporation access control software systems; identify all cyber security systems infractions/violations; document and report the results of questionable user and system activity for cyber security program inquiries.
• Cyber security tests and evaluation/cyber security program systems documentation—Conduct cyber security tests and evaluations on stand-alone (nonnetworked) systems to ensure that the systems are processing in accordance with applicable cyber security program-approved procedures.
Qualifications: This position normally requires a bachelor’s degree in a cyber security-related profession.
3. Systems Security Analyst
Position summary: Identify, schedule, administer, and perform assigned technical cyber security analysis functions to ensure all applicable requirements are met.
Duties and responsibilities
a. Represent cyber security program to other organizations on select cyber security program-related matters.
b. Provide advice, guidance, and assistance to managers, system users, and system custodians relative to cyber security program matters.
c. Provide general advice and assistance in the interpretation of cyber security program requirements.
d. Identify all cyber security program requirements necessary for the protection of all information processed, stored, and/or transmitted by the information systems; develop and implement plans, policies, and procedures necessary to ensure compliance.
e. Identify current cyber security program functional processes and develop automated tools to support those functions.
f. Analyze manual cyber security program functions and provide recommendations and reports of the analyses to cyber security management.
g. Maintain, modify, and enhance automated cyber security program functional systems of cyber security tests and evaluations, risk assessments, software/hardware evaluations, access control, and other related systems.
h. Collect, compile, and generate cyber security program function informational reports and briefing packages for presentation to customers and management.
i. Perform other functions as assigned by cyber security management.
Position requires being assigned to perform duties in the following areas:
• Access control/technical access control software—Administer and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of the corporation’s information, as well as defensive systems such as firewalls and related intrusion detection systems.
• Access control/violations analysis—Administer and monitor the use of the corporation’s access control software systems; analyze all systems cyber security program infractions/violations; document and report the results of questionable user and system activity for cyber security program inquiries.
• Noncompliance inquiry—Identify and analyze cyber security program business practice irregularities and cyber security program violations/infractions; conduct detailed inquiries; assess potential damage; monitor corrective action; and recommend preventive, cost-effective measures to preclude recurrences.
• Risk assessment—Perform limited risk assessments of cyber security program systems and processes; determine their threats, vulnerabilities, and risks; and recommend cost-effective risk mitigation solutions.
• Cyber security tests and evaluation/cyber security program system documentation—Schedule and conduct cyber security program tests and evaluations on stand-alone (nonnetworked) systems to ensure that the systems are processing in accordance with applicable cyber security program-approved procedures.
Qualifications: This classification normally requires a bachelor’s degree in a cyber security-related profession and at least 2 years of practical experience.
4. System Security Analyst Senior
Position summary: Identify, evaluate, conduct, schedule, and lead technical cyber security analysis functions to ensure that all applicable corporation cyber security program requirements are met.
Duties and responsibilities
a. Provide technical analysis of cyber security program requirements necessary for the protection of all information processed, stored, and/or transmitted by systems; interpret those requirements; and translate, implement, and administer division plans, policies, and procedures necessary to ensure compliance.
b. Represent cyber security program on security matters with other entities as assigned.
c. Provide advice, guidance, and assistance to senior management, system managers, and system users and custodians relative to cyber security program matters.
d. Perform other functions as assigned by cyber security management.
Position requires being assigned to perform duties in the following areas:
• Access control/technical access control software—Implement, administer, and maintain systems’ user access control systems through the use of controls, processes, and procedures to prevent their unauthorized access, modification, disclosure, misuse, manipulation, and/or destruction, as well as defensive systems such as firewalls and related intrusion detection systems.
• Cyber security program awareness—Prepare, schedule, and present cyber security program awareness briefings to systems managers, custodians, and users. Act as focal point for dissemination of cyber security program information through all forms of media.
• Disaster recovery—Coordinate and ensure compliance with system disaster recovery/contingency plans to ensure the rapid recovery of systems in the event of an emergency or disaster.
• Hardware and software cyber security program evaluations—Evaluate all hardware, firmware, and software for impact on the cyber security program of the systems; monitor and ensure their modification if requirements are not met; and authorize their purchase and use within the corporation.
• Noncompliance inquiry—Identify and conduct technical analyses of cyber security program business practices and violations/infractions; plan, coordinate, and conduct detailed inquiries; assess potential damage; and develop and implement corrective action plans.
• Risk assessments—Conduct limited cyber security technical risk assessments; prepare reports of the results for presentation to management.
• Cyber security tests and evaluations/cyber security program documentation—Schedule and conduct cyber security tests and evaluations to ensure that all the applicable systems are operating in accordance with cyber security program requirements.
• Technical countermeasures—Conduct technical surveys and determine necessary countermeasures related to physical information leakage; conduct sound attenuation tests to ensure that information processing systems do not emanate information beyond the corporation’s zone of control.
Qualifications: This classification normally requires a bachelor’s degree in a cyber security-related profession and 4 years of practical, related experience.
5. System Security Analyst Specialist
Position summary: Act as technical cyber security program advisor, focal point, and lead to ensure all cyber security program functions are meeting the corporation requirements, as well as developing and administering applicable programs.
Duties and responsibilities:
a. Act as technical advisor for cyber security program requirements necessary for the protection of all information processed, stored, and/or transmitted by systems; interpret those requirements; and translate, document, implement, and administer the corporation cyber security program plans, policies, and procedures necessary to ensure compliance.
b. Represent cyber security program on security matters with other entities as assigned.
c. Provide advice, guidance, and assistance to senior management, IT managers, system users, and system custodians relative to cyber security program matters.
d. Perform other functions as assigned by cyber security management.
Position requires being assigned to perform duties in a combination of the following areas:
• Access control/technical access control software—Implement, administer, and maintain systems’ user access control systems through the use of controls, processes, and procedures to prevent their unauthorized access, modification, disclosure, misuse, manipulation, and/or destruction, as well as defensive systems such as firewalls and related intrusion detection systems.
• Cyber security program awareness—Prepare, schedule, and present cyber security program awareness briefings to system managers, custodians, and users. Act as focal point for dissemination of cyber security program information through all forms of media.
• Disaster recovery—Coordinate and ensure compliance with system disaster recovery/contingency plans to ensure the rapid recovery of systems in the event of an emergency or disaster.
• Hardware and software cyber security program evaluations—Evaluate all hardware, firmware, and software for impact on the cyber security program of the systems; monitor and ensure their modification if requirements are not met; and authorize their purchase and use within the corporation.
• Risk assessments—Conduct limited cyber security program technical risk assessments; prepare reports of the results for presentation to management.
• Cyber security tests and evaluations/cyber security program documentation—Schedule and conduct cyber security tests and evaluations to ensure that all the applicable systems are operating in accordance with cyber security program requirements.
Qualifications: This classification normally requires a bachelor’s degree in a cyber security program-related profession and 6 years of cyber security program experience.
6. System Security Engineer
Position summary: Act as a technical systems management consultant, focal point, and project lead for cyber security program functions and programs developed to ensure the corporation’s requirements are met.
Duties and responsibilities
a. Act as a lead in the identification of government, customers, and corporation cyber security program requirements necessary for the protection of information processed, stored, and/or transmitted by the corporation’s systems; interpret those requirements; and develop, implement, and administer the corporation cyber security program plans, policies, and procedures necessary to ensure compliance.
b. Represent the cyber security program office, when applicable, on cyber security program matters as well as serving as the corporation’s liaison with customers, government agencies, suppliers, and other outside entities.
c. Provide advice, guidance, and assistance to senior and executive management, the corporation’s subcontractors, and government entities relative to cyber security program matters.
d. Provide technical consultation, guidance, and assistance to management, systems users, and cyber security program software systems by providing controls, processes, and procedures.
e. Establish, direct, coordinate, and maintain a disaster recovery/contingency program for the corporation that will mitigate systems and information losses and ensure the successful recovery of the system and information with minimal impact on the corporation.
f. Act as lead for the technical evaluation and testing of hardware, firmware, and software for impact on the security of the systems; direct and ensure their modification if requirements are not met; authorize their purchase and use within the corporation and approve them when in conformance.
g. Develop or direct the development of original techniques, procedures, and utilities for conducting cyber security program risk assessments; schedule and conduct cyber security program risk assessments and report results to management.
i. Direct and administer cyber security tests and evaluations programs to ensure that the applicable systems are operating in accordance with cyber security program requirements.
j. Provide technical consultation and assistance in identifying, evaluating, and documenting use of systems and other related equipments to ensure compliance with communications requirements.
k. Investigate methods and procedures related to the cyber security program aspects of microcomputers, local area networks, mainframes, and their associated connectivity and communications.
l. Identify and participate in evaluation of microcomputer and local area network cyber security program implementations, including antivirus and disaster recovery/contingency planning functions.
m. Perform development and maintenance activities on cyber security program-related databases.
n. Recommend and obtain approval for procedural changes to effect cyber security program implementations with emphasis on lowest cost/minimum risk.
o. Lead and direct cyber security personnel in the conduct of systems cyber security program audits.
p. Participate in the development and promulgation of cyber security program information for general awareness.
q. Perform other functions as assigned by the cyber security manager.
Position requires being assigned to perform duties in the following area:
• Supervisor, project leader—Provide assistance, advice, guidance, and act as technical specialist relative to all cyber security technical functions.
Qualifications: This classification normally requires a bachelor’s degree in a cyber security-related profession and a minimum of 10 years of cyber security program-related experience.
Recruiting Cyber Security Professionals
Once the cyber security officer had gotten the cyber security organizational structure and the cyber security job family functional descriptions both approved, the next task was to begin recruiting and hiring qualified cyber security professionals.
Hold it! Not so fast! The cyber security officer must first determine the following:
• How many cyber security professionals are needed?
• What functions will they perform?
• How many are needed in what pay code?
• How many should be recruited for the off-site location?
• Does the off-site location or main plant have the highest priority?
The cyber security officer must plan for the gradual hiring of personnel to meet the cyber security program and cyber security organizational needs based on a prioritized listing of functions. Obviously, a mixture of personnel should be considered. One or two high-level personnel should be hired to begin establishing the basic cyber security program and cyber security processes. Personnel who meet the qualifications of a system security engineer should be hired immediately. At least two should be hired. One would be the project lead to begin the process of establishing the formal functions of one of the cyber security subordinate organizations and the other would do the same for the other cyber security organization. At the same time, the access control function positions should be filled, as they represent the key cyber security program mechanism of access control.
Functions such as risk management, noncompliance inquiry, and the awareness program could come later. The rationale used by the cyber security officer for this decision was that cyber security program policies had not been established, so there was nothing on which to base noncompliance inquiries or an awareness program. The next position to be filled, after the two systems security engineers and access control personnel, was the position of the emergency planning, disaster recovery planning, and contingency planning specialist.
The cyber security officer reasoned that while access controls were being tightened up and analyzed, the engineers were beginning to build the process for each function, with much of the access control process development being done with the assistance of the access control administrators. In the event of a disaster, the systems must be up and operational in as short a time period as possible. This is crucial to the well-being of the corporation.
Unfortunately, the type of individual the cyber security officer would ideally want to employ is not usually readily available. In addition, the corporation’s policy is one of “promote from within” whenever possible. So, although a more qualified individual may be available from outside the corporation, the cyber security officer may have to transfer a less qualified individual currently employed within the corporation, because that person does meet the minimum requirements for the position—at least as interpreted by the HR personnel.
The cyber security officer soon began to realize that compromise and coordination were a must if there was to be even a slight chance of succeeding in building the corporation cyber security program. Based on a self-evaluation, the cyber security officer decided to find as many people as possible within the corporation who were willing to transfer and who met the minimum requirements for a cyber security program position. The cyber security officer soon learned why the job descriptions approved through the HR Department include words such as “normally” and “equivalent.” The cyber security officer naively thought that those words would assist in bringing in cyber security professionals. It never entered the cyber security officer’s mind that others could also use the position descriptions to help recruit personnel—some who just barely would meet the minimum requirements!
For the cyber security officer who is trying to quickly build a cyber security program and cyber security organization, the compromises on staff selection may help or they may hurt. In either case, it is important to begin the hiring process quickly.
Identifying In-House Cyber Security Candidates
Those individuals within the corporation organizations who have been providing access control in either a full- or a part-time position for their department’s local area networks may be good access control candidates.
The IT Department may also be a place to “recruit” (make personnel aware of the positions available) cyber security candidates. The audit and cyber security organizations may also provide places to find cyber security candidates.
A word of caution to the cyber security officer: Most managers do not take kindly to recruiting of their employees, as it means they will be short-handed until they can find replacements. In addition, the cyber security officer should beware of individuals whom the managers recommend. These may just be the people that the manager has been trying to find some way to get rid of for some time!
The cyber security officer has enough problems building a cyber security program, establishing and managing a cyber security organization, handling the day-to-day cyber security program problems, attending endless meetings, trying to hire a professional cyber security program staff, and having to transfer personnel who don’t meet the cyber security officer’s expectations to then be saddled with an employee recommended by another manager who turns out to be a “difficult” employee.
A difficult employee will occupy more of the cyber security officer’s time than three other staff members combined. It seemed that the corporation IT Department had a penchant for this. So, beware of geeks bearing gifts!
Identifying Outside Cyber Security Candidates
There are many sources that can be used to recruit talented cyber security professionals, many limited only by imagination and budget (especially budget!). Regardless of how or where you recruit, the recruitment must be coordinated with the HR staff.
To recruit cyber security personnel, the Controller must validate and approve (on another form, of course) that there is budget set aside for the cyber security organization to hire staff.
Then once that hurdle is jumped, the HR personnel must validate that you have completed the necessary form describing the position you want to hire against, the minimum qualifications, and the pay range for that position. Luckily, all the cyber security officer has to do in this case is basically transcribe the general position description onto the new HR form used for recruiting candidates and advertising the position.
Just as the corporation cyber security officer thought that the door was now flung wide open to recruit cyber security professionals, one of the HR personnel walked up to the cyber security officer and mentioned how boring the HR job was, and that it would be nice to transfer to another, more exciting organization—and the cyber security job seemed to be a very exciting one. Experience? Well, of course the person is proficient is using a computer! Another often-found problem is the manager or staff member who has a cousin just graduating from college who would be perfect for the cyber security position.
The cyber security officer soon began to realize that building and managing an outstanding, state-of-the-art cyber security program and a cyber security organization staffed by talented cyber security professionals might become more of a dream than a reality.
Once the cyber security officer was able to fend off these and similar charges, the recruitment effort within and outside the corporation could start in earnest! Among the ways to recruit cyber security professionals are through:
• Local advertisement in trade journals, newspapers, etc.,
• Hiring a consulting firm to find the right people,
• Passing the word among colleagues,
• Asking cyber security associations to pass the word, and
• Using the Internet to advertise the position.
With a few cyber security personnel on board, the cyber security officer could begin to work on the cyber security program and also begin work on developing the baseline processes and functions with the cyber security organization.
Questions to Consider
Based on what you have read, consider the following questions and how you would reply to them:
• Do you have a formal, that is, documented cyber security program?
• If not, why not?
• What would you consider as the benefits of such a plan?
• What would you consider as the negatives of such a plan?
• Have you ever briefed executive management on cyber security-related matters?
• Do you identify the costs of staffing and providing cyber security functions using a cost–benefit risk management process?
• If you were to develop a cyber security program for the corporation, what would you do differently from what was stated in this chapter?
• If you could build and manage a cyber security organization for the corporation, how would the structure compare to the one cited in this chapter, and why?
• How would you manage the off-site locations—for example, would you manage them from the corporate office, or ask some off-site manager to matrix manage the staff for you?
• What other job descriptions would you add to the ones provided?
• What other duties and responsibilities would you add to the job descriptions provided in this chapter?
• Do you know how to successfully work with HR staff to meet their requirements and also effectively and efficiently get your objectives accomplished?
Summary
Once plans were in place, the cyber security officer could begin to develop a cyber security organization to support the cyber security program. To do so, the cyber security officer must understand the following:
• Establishing an effective and efficient cyber security organization and program requires a detailed analysis and integration of all the information that has been learned through the entire process of becoming a cyber security officer at the corporation.
• Once the need for cyber security subordinate organizations is determined, the cyber security officer must determine what functions go in what organizations.
• Establishing a formal cyber security organization and cyber security job family requires cooperation with HR organizations and others; patience and understanding are mandatory.
• A cyber security officer who establishes a new organization for a corporation will be compelled to live within a less than ideal corporate world in which forms and bureaucracies rule the day. To survive, the cyber security officer must understand how to use those processes efficiently and effectively to succeed.
• In most corporations, currently employed personnel who desire a cyber security position, and who meet the minimum cyber security requirements, must be hired before hiring an individual from the outside.
• Recruiting qualified cyber security professionals can be accomplished only through a widespread recruitment effort, using many marketing media; and successful advertisement is sometimes a matter of how much recruitment budget is available.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.