Cybersecurity is Everyone's Job - Draft: For Public Comment A Publication of the National Initiative for Cybersecurity Education Working Group ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity is Everyone’s Job A Publication of the National Initiative for Cybersecurity Education Working Group Sub-Group on Workforce Management at the National Institute of Standards and Technology Draft: For Public Comment
Introduction
The human is the greatest vulnerability in any organiza- rity responsibilities. Each member of the group, from the
tion. newest employee to the chief executive, holds the power
In this era of persistent cyber threats, an organization will to harm or to help, to weaken or strengthen, the organi-
be secure only with the active participation of everyone. zation’s security posture.
Unfortunately, many organizations limit security respon- This guidebook outlines what each of us should do to
sibilities to designated security personnel that perform protect the organization, based on the types of work we
specialized security functions. But effective security must do.
be enterprise-wide, involving everyone in fulfilling secu-
Benefits of this Guidebook
• Helps you to know what you need to do, based on
your role
• Engages all functions and roles—technical and
non-technical—in securing critical information and
systems
• Provides essential, must-do-first guidance in plain
language
• Turns the organization’s greatest vulnerability—its
people—into the organization’s greatest assetWhy this Guidebook is Needed From critical information systems holding sensitive data and so forth. However, even when well-trained medical (Information Technology, or IT), to critical operational professionals are delivering exceptional care in a robust systems running physical processes (Operational Technol- health care system, the spread of diseases is primarily ogy, or OT), every organization today depends on their prevented through good hygiene. Similarly for good “cy- technology to be successful. Even those entities that do ber hygiene,” when each of us takes appropriate care, we not maintain a robust technology environment must still protect the larger community. operate in a world that depends on IT and OT—and the Another common misunderstanding is that organizations humans that own, manage, and use those systems. just need to hire more technically-savvy cybersecurity Contrary to the common misunderstanding that cyber professionals. Without a doubt, these skilled people threats are a technology problem looking for a technology are very important. Without them, essential technical solution, the data clearly and consistently shows that em- safeguards could not be implemented, ongoing security ployees are the greatest vulnerability of any organization. operations would not be conducted, and there would be This means that no matter how robust the technology no one to respond to the next cyber incident. However, is, or how many cybersecurity policies the Chief Infor- the largest “attack surface” of the organization is you and mation Security Officer (CISO) may have introduced, me—the people who perform common functions: Lead- the organization cannot be secure without all individuals ership, Planning, and Governance; Sales, Marketing, and doing their part, across all business functions, technical Communications; Facilities, Physical Systems, and Oper- and non-technical. ations; Finance and Administration; Human Resources; Consider how dependent our public health is on the Legal and Compliance; and routine Information Technol- active participation of everyone. We are all educated and ogy operations. Therefore, cybersecurity is everyone’s job. encouraged to exercise good hygiene such as washing hands and seeking preventative care through immuniza- tions, and even children are well versed in best practices for covering your mouth when you sneeze, handwashing
Who Can Use this Guidebook?
This guidebook is intended for every kind of organiza- derstanding your role and taking individual responsibility
tion, from large government agencies and publicly-trad- for mitigating cyber risks.
ed corporations to nonprofits and small, family-owned In the following pages, you’ll find practical guidelines
businesses, since all organizations must perform common, for action, organized by business function. Many of
essential activities. These functions include generating these tasks are simple… so simple that they might seem
revenue, communicating with external customers and inconsequential. But these guidelines reflect proven best
stakeholders, delivering products and services, leading practices developed by security experts from government,
people, and managing financial and legal matters. Each of industry and academia.
these areas routinely exposes the organization to a variety
of cyber-related business risks. To reduce these risks, each The cybersecurity of your organization depends on you,
person in each business function must be involved, un- and here’s what you can do.
How to Use this Guidebook
This guidebook is organized by business function—those Each section is written so that it may be used as a stand-
essential activities which all organizations must perform alone reference for that particular business function;
to at least some extent. Each function represents work therefore, some of the guidelines will appear in multiple
that may be performed by a number of formal job roles, sections.
or they may be performed by one person, depending Additional resources, references and information on
on the size of the organization. They are intended for how this guidebook was developed are contained in the
full-time employees, part-time hires, leaders at all levels, appendices.
and those who perform tasks in that particular business
function, even if their primary role is elsewhere. The goal Please note that the information in this guidebook is not
is to build a cyber-secure workforce, with each person intended to replace your organization’s security policies;
doing their part to secure the organization. The business rather, it provides a supplemental quick reference of ac-
functions are presented as seven categories: tions that each person can perform to ensure the organi-
zation’s cyber resilience.
»» Leadership, Planning, and Governance This document can be shared as-is, or organizations may
tailor it to their needs and communication methods—
»» Sales, Marketing, and Communications in materials such as booklets, webpages, publications,
or webinars. The intent is for users to understand how
»» Facilities, Physical Systems, and Operations everyone in an organization—across all business functions
and roles—can enforce the cybersecurity posture of their
»» Finance and Administration organization.
»» Human Resources
»» Legal and Compliance
»» Information TechnologyBuilding a Cyber-Secure Culture
First, a word on culture. Your organization’s culture is ing malware to others who do. As a result, hardening your
critical to establishing a successful cybersecurity pos- employees to the reality of socially engineered concerns
ture. Without a culture that emphasizes, reinforces, and is a key element in a training program. No program will
ultimately drives behavior toward security, the necessary lead to a sustained 100% success rate against human
conditions will not be set. In other words, a resilient factor-based exploits, but they can substantially reduce
workforce will not exist without a cyber-secure culture. the volume, and potentially even the impact, of attacks.
By reducing volume, your cyber defenders can focus on a
Mindset smaller, more manageable set of incidents.
Mindset is a critical component of culture. When we Another common way to help build cyber-secure cul-
build awareness into the organizational culture, we ture is through internal awareness campaigns; there are
increase our readiness to address cyber risks and we help numerous creative ways to get the message across. From
keep our collective eyes open. Whether you work in a posters and newsletters to contests and prize drawings, or-
small non-profit or a Fortune 100 company, every orga- ganizations have found effective ways to generate “buzz”
nization is at risk. Given the prevalence of cyber attacks, around important themes. While these methods should
we need to stay prepared. Collectively, the appropriate be employed year round, National Cybersecurity Aware-
behaviors at the individual level will contribute toward ness Month, observed in October, is a particularly good
the resilient workforce that every organization needs. And time to emphasize these themes.
behaviors are driven by mindset.
Performance management
Leadership As change management professionals will attest, a proper
Your organization’s leaders set the tone. No factor is more set of incentives and disincentives can have a profound
significant to impacting awareness and mindset than lead- impact on human behavior. For real cultural change to
ership. Leadership, by example and emphasis, becomes occur in cybersecurity preparedness, individual perfor-
the basis of a cyber-secure culture. In practice, this means mance goals must align with the goals of the organization.
the personal example of individual leaders, as well as their In most cases, individual goals are already comprised of a
emphasis to team members, to embrace cybersecurity combination of quantifiable metrics and qualitative targets.
education, awareness and best practices. It is important Performance goals in security can include completion of
for leaders to understand that deep technical knowledge required training, improved responses to phishing exercises,
is not required; rather, an open and honest approach compliance with policies, and avoidance of risky online
to improving personal security habits based on sound behaviors. Financial and operational metrics are common
guidelines, shared with others, is what matters. Simply in organizations; security-related metrics should be also.
put, leadership involvement is the single most important
factor for a cyber-secure organization. Technical and
Training and awareness policy reinforcement
Once leaders are involved in fostering and participating Finally, specific technical controls associated with human
in a cyber-secure culture, the next step is to implement behavior can be implemented to reinforce cyber-secure
employee awareness training. This will help to build culture. While controls are generally implemented to
a more complete understanding of risks, and—most mitigate the risks of failures in human behavior, they also
importantly—provide specific steps for mitigating them. have the effect of reinforcing culture, since they tend to
Training programs come in many forms, but most involve funnel behaviors down acceptable paths. Just as physi-
a series of computer-based learning modules and practical cal access controls reinforce the mental awareness of a
exercises. Formal training is designed to increase aware- physical perimeter, so can password policies, multi-factor
ness of various attack forms and methods, and how to authentication and mobile device management solutions
react to them, as well as the company’s required security reinforce security culture, albeit in a modest and indirect
practices. One area of increasing concern is the use of manner, by reminding users of the need for cybersecurity.
social engineering, or manipulation, to spread exploits via Policy at the organizational level can also motivate and
unsuspecting employees. They may have access to the tar- influence implementation of controls by outlining the
geted data or system; or may be used to continue spread- consequences of non-compliance.There are many ways that these guidelines can be imple- mented, reflecting the unique values, personalities and activities of each organization. What matters is that they form the basis for developing a cyber-secure culture by increasing awareness and fostering the right mindset. With a sound cyber-secure culture in place, each busi- ness function can focus on its own unique contribution towards protecting the organization.
Leadership, Planning, and Governance
Setting overall direction, establishing priorities, • Safeguarding the sensitive information you rely on
for planning and decision making
maintaining influence, and mitigating risks
• Establishing a cyber-secure culture within the orga-
What Leadership, Planning, nization
and Governance does What Leadership, Planning, and Governance
If you are responsible for the overall strategic direction professionals should do:
of the organization, or for maintaining controls and • Understand cybersecurity well enough to enable
mitigating risks, this section applies to you. Leadership, sound decision making
Planning, and Governance professionals are often the »» Establish a routine reporting process for cyber
most senior leaders, or are directly supporting strategic risks within the organization
decision makers. You may be involved in board proceed- »» Engage with trusted third parties to learn about
ings, contribute as senior level management or manage a cyber risks and their mitigations—this includes
complex government agency, with fiduciary responsibility consultants, industry groups, and cybersecurity
and budget authority. Or, you could be the owner-op- service providers and educators
erator of a small business or franchise. What all these »» Regularly commission objective risk assessments
roles have in common is that final decisions are made by of the organization
you, or you are supporting those who make those de-
»» Implement cybersecurity best practice frame-
cisions. Because competing demands must be balanced
works, maintained by authoritative entities
and limited resources allocated, you play a crucial role in such as the National Institute of Standards and
establishing priorities and ensuring adherence to them. At Technology (NIST), Center for Internet Security
the same time, strategic risks to the organization must be (CIS), and International Organization for Stan-
addressed. You are often the arbiter of difficult decisions. dardization (ISO)
You matter to the organization, because without you, • Include cyber risks in the enterprise risk
the organization lacks direction and cohesion. You are management process
the hub of the wheel—connecting to, coordinating, and »» Avoid treating cyber risks as a separate and mys-
driving the many parts of the business. terious matter only for technologists
The role of Leadership, Planning, and Governance in »» Understand the organizational impacts of cyber
cybersecurity is all about: incidents
• Managing and mitigating overall cyber-related busi- »» Consider risks introduced by partners and sup-
ness risks pliers
• Establishing effective governance controls »» Conduct exercises and decision-making drills to
familiarize yourself and your organization with
• Prioritizing and resourcing cybersecurity programs how to respond
»» Prioritize cyber-related risks to ensure appropri-
ate attention and effort is committed to their
Your title includes words like… mitigation
Director, Board, Chairman, Chief, President, Partner, • Develop and maintain organizational information
Principal, Owner, Founder, Secretary, Consultant, security policies and standards
Strategy, Governance, Risk, Intelligence, Controls »» Ensure that information security policies are
informed by risk assessment, regulations, and
Information and systems you standards / best practices
own, manage, or use »» Ensure organizational security policies are ap-
propriately implemented, institutionalized and
• Strategic plans
communicated
• Board and senior management proceedings
»» Be aware of relevant data protection / privacy
• Financial records regulations and legislation to ensure that your
• Merger and acquisition information organization remains in compliance, e.g., Gener-
al Data Protection Regulation (GDPR), Health
• Third-party recommendations and reports Insurance Portability and Accountability Act
• Routine communications of a sensitive nature (HIPAA), Federal Information Security Manage-ment Act (FISMA), Freedom of Information Act accounts
(FOIA), Sarbanes-Oxley (SOX), Family Educa- • When working from home, secure your home
tional Rights and Privacy Act (FERPA) network by applying best practices (see NIST SP
»» Have a schedule in place to regularly review and 800-46 Rev. 2), such as:
update policies »» Change your wireless router password, SSID, and
• Promote the development of effective cross-func- limit ability of others to find it
tional teams to accomplish cybersecurity goals for »» Maximize encryption levels on your wireless
the organization. router
• Adequately fund cybersecurity resource requests »» Increase privacy settings on your browser
»» Digital assets cannot be protected without hu- »» Use Virtual Private Networks (VPN) to access
man and technical resources; be ready to commit corporate networks whenever possible
resources aligned to a cohesive cybersecurity
strategy »» For additional security, protect browsing privacy
through encrypted browsers
»» Plan for future needs
»» For additional security, protect personal email
• Protect sensitive strategic, financial, legal, and risk accounts through encrypted email
information
• When traveling, secure your connections to the
»» Share only necessary information enterprise:
»» Ensure the information is retained/destroyed in »» Do not enter sensitive information on public
compliance with the organization’s data retention computers
policies or external regulations
»» Use VPN access to corporate networks whenever
»» Use encryption, passwords, and other methods to possible
secure files when you transfer them to others
»» Do not use public Wi-Fi without VPN
• Protect access to online file sharing or decision
support platforms by applying best practices, such »» Use a dedicated wireless hotspot for internet
as: access
»» Strong, complex passphrases »» If a hotspot is not available, consider tethering to
a corporate or business-issued cell phone
»» Unique passphrases for each critical account
»» Physically protect your computer from theft and
»» Multi-factor authentication unauthorized access
What we all should do:
• Use social media wisely
A note to leaders:
»» Apply strong privacy settings
»» Don’t share personal information on business You are ultimately responsible. The organization will
accounts not be cyber-secure until you are actively involved in
»» Don’t share business information on personal understanding, prioritizing, speaking about, and lead-
ing by example in protecting digital assets. Work with
cybersecurity experts—externally and those you hire
internally—to establish sound guidelines, be familiar
with those guidelines, implement them yourself, and
ensure that your teams know what they’re expected
to do.
Don’t be afraid to ask questions. Nobody expects
you to understand cyber as well as you understand
finance or operations, but everyone expects you to
mitigate risks to the business—and cyber risks are
real. Your job depends on how well you address the
real risks of an often-unfamiliar subject.Sales, Marketing, and Communications
Raising awareness, communicating, generating The role of Sales, Marketing, and Communications in
cybersecurity is all about:
revenue, and interacting with customers
1. Establishing and protecting the company brand,
What Sales, Marketing, reputation and the trust of citizens, customers, and
partners
and Communications does
2. Preventing/limiting information loss as you interact
If you are interacting with customers, clients, donors or with the outside world
citizens, this applies to you. Sales, Marketing, and Com-
munications professionals are those who engage prospec- 3. Reducing risks to the enterprise network presented
tive and existing customers to drive awareness of products by remote work, telecommuting, and travel
and services, stimulate interest, and generate revenue
What Sales, Marketing, and Communications
through sales or other means. You may also be involved
professionals should do:
in public- and media-facing communications. You are
the messengers of the organization, carrying news of the • Communicate the importance of cybersecurity mat-
good things you provide to those who need to know, and ters to your stakeholders
responding to current events. This includes the crucial »» Access reputable sources to develop a well-round-
work of converting business ideas into real business ed understanding of how information and
deals. Along with the people who deliver the products or systems fit into the ecosystem of the people you
services, you are often the most visible, outward-facing interact with—this includes consultants, indus-
people in your organization. try groups, cybersecurity service providers and
educators
You matter to the organization, because without you,
»» Understand the potential impact to your organi-
ideas, products and services sit idle—you make the orga- zation of a cyber incident
nization a vibrant part of the world around it.
»» Inventory the types of information entrusted to
the care of your organization, and consider the
potential impact of data compromise for your
customers and partners
• Develop a communications plan for the inevitable
Your title includes words like… cyber incident
»» Participate in internal incident response team
Sales, Accounts, Client, Revenue, Donor Relations, planning
Advertising, Social Media, Marketing, Demand Gen- »» Become familiar with the cyber incident response
eration, Communications, Media Relations, Analyst plan
Relations, Public Affairs, Community, Stakeholder,
»» Participate in “table-top exercises” and other
Engagement planning efforts in anticipation of cyber incidents
Information and systems you »» Draft a communication plan consistent with
own, manage, or use regulatory requirements, legal considerations,
industry best practices, and commitments made
• Customer data to external stakeholders
• Partner data • Protect shared files
• Contracts »» Use encryption, passwords, and other methods
to secure files when you transfer them to/from
• Financial data
customers and partners
• Customer Relationship Management (CRM)
• Protect access to your Customer Relationship
systems
Management (CRM) platform by applying best
• Customer support portals practices, such as:
• Press releases »» Strong, complex passphrases
• Public announcements »» Unique passphrases for each critical account
• Public-facing websites »» Multi-factor authentication
• Social media accounts »» Restricting levels of access by need»» Removing employees or vendors when they are
no longer involved A note to leaders:
• Protect customer information in quotes, purchase
orders, invoices, payments, and presentations Implementing cybersecurity best practices is hard to
do with external-facing employees, particularly if they
»» Share only necessary information
are out in the field most of the time. The most effective
»» Ensure the information is destroyed in com-
aspect of leadership is to lead by example: know these
pliance with the organization’s data retention
policies or applicable regulations guidelines, implement them yourself, and ensure that
your teams understand what they’re expected to do.
• Be aware of the implications of conducting business
in foreign jurisdictions with different regulations Demand cyber-secure resources. If your organi-
such as the European Union’s General Data Protec- zation does not provide secure connections, such
tion Regulation (GDPR) as multi-factor authentication, VPN, and/or mobile
What we all should do: hotspots, demand it! Your job, and the organization’s
reputation, depends on maintaining the trust of citi-
• Use social media wisely
zens, customers, and partners.
»» Apply strong privacy settings
»» Don’t share personal information on business
accounts
»» Don’t share business information on personal
accounts
• When working from home, secure your home
network by applying best practices (see NIST SP
800-46 Rev. 2), such as:
»» Change your wireless router password, SSID, and
limit ability of others to find it
»» Maximize encryption levels on your wireless
router
»» Increase privacy settings on your browser
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections back to the
enterprise
»» Use VPN access to corporate networks whenever
possible
»» Do not enter sensitive information on public
computers
»» Do not use public Wi-Fi without VPN
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
an issued cell phone
»» Physically protect your computer from theft and
unauthorized accessFacilities, Physical Systems, and Operations
Designing and delivering products and services, The role of Facilities, Physical Systems, and Operations
in cybersecurity is all about:
managing operations, and maintaining the
1. Protecting the uniqueness of the products and ser-
physical environment vices that your organization delivers
What Facilities, Physical 2. Securing physical systems from compromise
Systems, and Operations does 3. Integrating cybersecurity with physical safety and
If you are designing and delivering the organization’s core security
products and services to your customers, or are part of the What Facilities, Physical Systems, and Operations
core operations to support delivery, or are managing and professionals should do:
maintaining the physical environment, this section ap-
plies to you. Since the types of products and services vary • Identify cyber risks to the resilience of physical sys-
tems, including control systems
greatly, Facilities, Physical Systems, and Operations covers
a diverse range of roles from site management to product »» Engage IT and OT stakeholders
engineer to operations analyst to distribution manager, »» Engage trusted third parties to develop an under-
and beyond. You deliver the organization’s value to the standing of cyber risks in the physical environ-
world, fulfilling its primary purpose. Your role directly ment
impacts citizens, customers, and partners who depend on »» Perform a comprehensive assessment of the phys-
your organization’s products and services. ical environment to identify vulnerabilities and
You matter to the organization, because successful devel- weaknesses
opment and delivery of its products and services de- • Develop a comprehensive plan to improve the
pends on you. The organization would cease to function security of control systems
without the capabilities you provide, and the primary »» Leverage cybersecurity best practice frameworks,
purpose of the organization would go unfulfilled. Your maintained by authoritative entities such as
performance is also crucial to maintaining a competitive National Institute of Standards and Technology
advantage—what makes your organization unique and (NIST), Center for Internet Security (CIS), Inter-
respected—in a crowded, noisy, and busy world. Fur- national Organization for Standardization (ISO)
thermore, the technology systems you operate, including • Incorporate cybersecurity measures into the safety
those that enable physical processes (Operational Tech- program
nology (OT), rather than Information Technology (IT)), »» Ensure employee training includes awareness of
come with potential risks to life and limb, making your cyber risks in the physical environment
security readiness paramount.
»» Leverage the safety program as another means to
foster a cyber-secure culture
Your title includes words like… »» Partner with IT to develop a system for guests
who access the physical environment: limiting di-
Operations, Delivery, Consultant, Services, Engineer- rect access, providing a restricted Wi-Fi network,
ing, Process Control, Workplace, Plant, Facilities, etc.
Fabrication, Office, Maintenance, Logistics, Supply • Protect intellectual property
Chain, Real Estate, Design, Manufacturing »» Use encryption, passwords, and other methods
Information and systems you to secure files when you transfer them to/from
customers and partners
own, manage, or use
»» Share only necessary information
• Intellectual property »» Ensure sensitive information is destroyed in
• Plans, diagrams and schematics compliance with the organization’s data retention
policies or external regulations
• Physical control systems
»» Prevent remote access to systems unless absolute-
• Supervisory Control and Data Acquisition
ly necessary
(SCADA) systems
• Protect access to your information repositories by
• Building management systems (BMS)
applying best practices, such as:
• Physical security systems
»» Strong, complex passphrases»» Unique passphrases for each critical account
»» Multi-factor authentication A note to leaders:
What we all should do: Cultural barriers are as big as any other factor when
• Use social media wisely it comes to cybersecurity in industrial environments
»» Apply strong privacy settings and physical systems. It will require persistence,
»» Don’t share personal information on business education, and leadership by example to build bridg-
accounts es between operational technology and information
»» Don’t share business information on personal technology professionals, as well as between cyber-
accounts security and industrial safety advocates.
• When working from home, secure your home Address risks holistically, across all domains.
network by applying best practices (see NIST SP Insist that your employees do the same. Just as
800-46 Rev. 2), such as: safety culture is driven by good leadership, sound
»» Change your wireless router SSID and password performance management, and effective training, so
from the default or “out of the box” settings is cybersecurity culture in operational environments.
»» Change the password frequently and monitor
connected devices
»» Maximize encryption levels on your wireless
router
»» Increase privacy settings on your browser
»» Use VPN to access corporate networks whenever
possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections back to the
enterprise
»» Use VPN access to corporate networks whenever
possible
»» Do not enter sensitive information on public
computers
»» Do not use public Wi-Fi without VPN
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
an issued cell phone
»» Physically protect your computer from theft and
unauthorized accessFinance and Administration
Providing planning, forecasting, accounting, Officer (CFO) or similar role. Internal audit and compli-
ance functions may also be included.
transactional and administrative support to all
functions within the organization You matter to the organization because nothing can
happen without the ability to maintain financial health,
perform essential transactions, manage business risks and
What Finance and support the Planning and Governance function.
Administration does The role of Finance and Administration in cybersecurity
If you are involved in managing the organization’s is all about:
finances, from planning and budgeting to accounting 1. Integrating cyber risks into the enterprise risk man-
and transactions through risk management, this section agement process
applies to you. You are responsible for ensuring that each
part of the organization has the ability to pay for goods 2. Resourcing cybersecurity initiatives consistent with
and services, operate within a budget, track revenues and security strategy, and balanced with other IT invest-
expenditures, and conduct business with external enti- ments
ties—from customers to suppliers. You may also provide 3. Maintaining the confidentiality and integrity of
administrative support to the Planning and Governance sensitive financial information to ensure security and
function or manage office operations. While this function compliance with applicable policies
includes all persons with a full-time role in these areas,
it also applies to all executives, managers, and associates What Finance and Administration professionals should
who handle financial and administrative matters; in other do:
words, just about everyone. • Ensure that cyber risks are integrated into the enter-
In many cases, the Finance and Administration function prise risk management process
includes enterprise risk management, with associated »» Identify cyber-related risks to the enterprise early
processes and personnel reporting into a Chief Finance in the risk management process, not as a separate
activity or late addition
»» Understand the many different business effects of
Your title includes words like… cyber threats, which range from business disrup-
tion and loss of credibility to legal liability and
Finance, Financial, Comptroller, Accountant, Budget, physical damage
Risk, Compliance, Contracting, Purchasing, Pro- • Provide sufficient funding to enable the success of
curement, Vendor Management, Auditor, Examiner, the organization’s cybersecurity strategy
Loan, Trader, Underwriter »» Reference the organization’s security strategy and
external best practice frameworks to help priori-
Information and systems you tize investments
own, manage, or use »» Work with cybersecurity leaders to understand
• Financial performance records how their resource requests align with strategy
(which, in turn, should align with enterprise risk
• Budgets management); differentiate between the must-
• Financial assessments and audit reports haves and nice-to-haves
• Tax filings (e.g. IRS forms) »» Develop a complete view of security-related
• Public files (e.g. SEC forms) spending, which is often spread across multiple
functional areas and budget allocations
• Planning tools and platforms
• Collaborate and work on a strategy for emergency
• Enterprise risk management tools and plat- cybersecurity spending
forms
»» In the event of a cyber incident, incident re-
• Risk assessments and audit reports sponse plans should also incorporate how to
• Compensation and benefits information purchase needed equipment or services
• Accounts payable systems »» Vendors and contractors should already be vetted
and in place if such an incident should occur
• Accounts receivable systems
»» Contingency plans should be made for loss of
• Contracts
financial systems to ensure continuity with mini-
mal disruption• Work with Legal and Compliance, and Information • When working from home, secure your home
Technology, to ensure contracts with third parties network by applying best practices (see NIST SP
include clauses for effective oversight of supplier 800-46 Rev. 2), such as:
cybersecurity, notification of incidents, and adher- »» Change your wireless router password, SSID, and
ence to relevant industry and government policies limit ability of others to find it
and regulations
»» Maximize encryption levels on your wireless
• Define the appropriate balance of resource allocation router
between run-the-business or improve-the-business »» Increase privacy settings on your browser
and secure-the-business investments
»» Use Virtual Private Networks (VPN) to access
»» While the former can demonstrate a closer align- corporate networks whenever possible
ment to organization goals and performance, a
rush to implement them often introduces new »» For additional security, protect browsing privacy
risks through encrypted browsers
»» If done properly, improvements in IT operations »» For additional security, protect personal email
can also improve security and compliance, since accounts through encrypted email
many foundational controls for security (such • When traveling, secure your connections back to the
as asset profiling, vulnerability management, enterprise:
configuration and patch management and access
»» Use VPN access to corporate networks whenever
management) are essential to a well-run IT envi-
possible
ronment
»» Do not enter sensitive information on public
• Protect the organization’s financial viability and
computers
reputation by ensuring compliance with financial
laws, regulations, rules, standards, and policies (both »» Do not use public Wi-Fi without VPN
external and internal) »» Use a dedicated wireless hotspot for internet
»» Understand the regulatory requirements as- access
sociated with financial information, such as »» If a hotspot is not available, consider tethering to
Sarbanes-Oxley (SOX), Gramm-Leach-Bliley an issued cell phone
Act (GLBA) and Payment Card Industry Data
Security Standards (PCI DSS) »» Physically protect your computer from theft and
unauthorized access
»» Support the cybersecurity team’s efforts to secure
systems which are impacted by these require-
ments
• Protect sensitive strategic, financial, legal, and risk
information
A note to leaders:
»» Share only necessary information
»» Ensure the information is destroyed in com- As Finance and Administration leaders, you are often
pliance with the organization’s data retention the default arbiter for resource demands among the
policies or external regulations other business functions. At the same time, there
»» Use encryption, passwords and other methods to are many decisions that must be influenced or made
secure files when you transfer them to others by you in organizational planning, enterprise risk
• Protect access to any online file sharing or decision management, and resource allocation in which you
support platform by applying best practices, such as: are not the subject matter expert—but the decisions
»» Strong, complex passphrases must be made.
»» Unique passphrases for each critical account Get smart about cybersecurity and enterprise
»» Multi-factor authentication risk. Your job, and the financial health of the organi-
zation, depends on your ability to make reasonable
What we all should do:
recommendations and decisions where there are
• Use social media wisely
many trade-offs.
»» Apply strong privacy settings
»» Don’t share personal information on business
accounts
»» Don’t share business information on personal
accountsHuman Resources
Planning, hiring, and supporting the devel- 2. Ensuring that critical cybersecurity roles are filled,
consistent with the NICE Cybersecurity Workforce
opment, retention, and compensation of the Framework, and that employees remain current on
organization’s workforce necessary knowledge, skills and abilities
3. Safeguarding sensitive employee information
What Human Resources does
If you are responsible for the management and opti- 4. Spearhead efforts to mitigate the risks of insider
mization of the organization’s human resources—from threat
entry-level staff to senior executives—as well as external What Human Resources professionals should do:
stakeholders—from job candidates to recruiters, consul-
tants, human resources associations, and benefits provid- • Leverage NIST Special Publication 800-181,
National Initiative for Cybersecurity Education
ers—this applies to you. You are responsible for human
(NICE) Cybersecurity Workforce Framework to
resource strategy in alignment with the overall strategy deploy human resources to the proper cybersecurity
of the organization, and serve as subject matter experts roles
in the areas of human resources policies and manage-
»» Reference this framework for workforce plan-
ment, talent acquisition and development, workforce and
ning, competency development, talent acquisi-
succession planning, employee relations and engagement, tion, and retention
culture and diversity, performance management, and
compensation and benefits. You may also be involved in »» Reference this framework to identify non-cyber-
maintaining records in platforms such as human resources security-specific roles which can perform cyberse-
curity functions
administration portals and talent acquisition tools.
»» Apply standard lexicon to internal planning con-
You matter to the organization, because without your versations, to ensure a common understanding
expertise and efforts to acquire, cultivate, and retain the across business functions
organization’s most valuable asset, its people, the orga-
• Ensure cybersecurity knowledge, skills, and abilities
nization would not possess the knowledge, skills, and
are incorporated into employee training and devel-
abilities necessary to succeed. Because of you, many hard- opment programs
learned best practices for human resource management
can be applied in a consistent manner. • Require and track participation in cybersecurity
training and awareness programs for all employees
The role of Human Resources in cybersecurity is all across the enterprise
about:
• Leverage human resources best practices to support
1. Implementing best practices in organizational retention of critical cybersecurity roles
change management, employee training, and perfor-
• Be vigilant to ensure selection of vendors that can
mance management to enable a cyber-secure culture
effectively maintain the confidentiality of employee
personal information, which frequently includes
protected health information
Your title includes words like…
• Protect access to your human resource management
Human Resources, Human Capital, People, Talent, platform by applying best practices, such as:
Recruitment, Acquisition, Labor, Organizational De- »» Strong, complex passphrases
sign, Training, Benefits, Compensation »» Unique passphrases for each critical account
Information and systems you »» Multi-factor authentication
own, manage, or use • Protect sensitive information in employee recruiting,
performance, compensation, and benefits:
• Employee data
»» Share only necessary information
• Human resource information systems
»» Ensure the information is destroyed in com-
• Recruitment and onboarding systems (appli- pliance with the organization’s data retention
cant tracking systems) policies or external regulations
• Performance management systems »» Use encryption, passwords, and other methods
• Succession planning models to secure files when you transfer them internally,
or externally with stakeholders such as recruiters,
• Benefits administration systems potential hires, etc.What we all should do:
• Use social media wisely: A note to leaders:
»» Apply strong privacy settings Human resource professionals have always played
»» Don’t share personal details on business accounts an important role in addressing business risks, rang-
»» Don’t share business information on personal ing from natural disasters and workplace violence to
accounts lawsuits and lay-offs. Cyber-related business risks
• When working from home, secure your home are no different: they cannot be effectively ad-
network by applying best practices (see NIST SP dressed without the implementation of best practic-
800-46 Rev. 2), such as: es in workforce management.
»» Change your wireless router password, SSID, and Be proactive in working with other business func-
limit ability of others to find it
tions to address cyber-related risks. Early involve-
»» Maximize encryption levels on your wireless ment is the key to ensuring that the right people are
router
in the right roles, with the right knowledge, skills, and
»» Increase privacy settings on your browser abilities, doing the right things.
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections back to the
enterprise:
»» Use VPN access to corporate networks whenever
possible
»» Do not enter sensitive information on public
computers
»» Do not use public Wi-Fi without VPN
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
an issued cell phone
»» Physically protect your computer from theft and
unauthorized accessLegal and Compliance
Ensuring compliance with laws, regulations and The role of Legal and Compliance in cybersecurity is all
about:
standards, mitigating risk, and addressing legal
1. Minimizing liabilities associated with the organiza-
matters tion’s cybersecurity posture
What Legal and Compliance does 2. Ensuring compliance with cybersecurity laws, regu-
lations, and standards
If you are focused on mitigating or responding to legal
risks or compliance matters, this applies to you. You 3. Addressing the legal implications of incidents when
do this in large part by ensuring that the organization they arise
remains compliant with the numerous laws, regulations,
and standards that apply to it. You may also respond to What Legal and Compliance professionals should do:
external inquiries, challenges or complaints, as well as • Understand the legal implications of cybersecurity
internal matters of a sensitive nature. in order to enable sound risk mitigation
You are close advisors to senior leaders, helping to set »» Engage with credible third parties to learn about
policies and priorities in a manner that balances the orga- cybersecurity and law—this includes professional
nization’s primary purpose with the risks to which it may associations, industry groups, consultants, and
be exposed. You are highly responsive to legal threats, and educators
may become the focal point of interaction with those out- »» Remain current on emerging regulations and
side the organization when legal or compliance matters standards
need to be addressed, such as during litigation, court pro- • Implement an effective compliance program for the
ceedings, audits, and when law enforcement is involved. organization
You matter to the organization, because you ensure that »» Assess the organization’s exposure to laws, regula-
it remains in good standing with laws, regulations and tions, and industry standards to ensure appropri-
standards, allowing it to focus on its core competencies. ate coverage
Without you, the organization could easily find itself in »» Leverage existing best practices for compliance
trouble, and subject to criminal, civil and audit liabilities. enforcement
»» Ensure third-parties adhere to organizational
cybersecurity policies through contractual terms,
such as Service-Level Agreements (SLAs)
• Actively participate in the enterprise risk manage-
Your title includes words like… ment process, working with Planning and Gover-
nance, Finance and Administration, and other busi-
General Counsel, Corporate Counsel, Inspector
ness functions to mitigate risks in a holistic manner
General, Internal Audit, Legal, Compliance, Risk, Pri-
vacy Officer, Attorney, Investigator, Paralegal, Legal
• Actively support the organization’s incident respond-
ers during a suspected breach
Assistant, Import/Export Compliance
• Conduct post-incident law enforcement engage-
Information and systems you ment, vendor notifications and public notifications
own, manage, or use as required
• Protect access to any online file sharing or decision
• Articles of incorporation, charters and forma- support platform by applying best practices, such as:
tion documents
»» Strong, complex passphrases
• Contracts and agreements
»» Unique passphrases for each critical account
• Compliance reports
»» Multi-factor authentication
• Audit reports
• Protect sensitive legal and compliance information
• Legal briefs
»» Share only necessary information
• Communications with retained law firms
»» Ensure the information is destroyed in com-
• Communications with law enforcement pliance with the organization’s data retention
agencies policies or external regulations
• Databases and file storage for Legal and »» Use encryption, passwords, and other methods to
Compliance teamssecure files when you transfer them to others
• Lead the organization’s efforts to develop and imple- A note to leaders:
ment privacy guidelines consistent with applicable
laws, industry regulations, and best practices No matter how many cybersecurity professionals are
hired, or how much investment is made in mitigating
What we all should do: tools and technologies, the organization will not be
• Use social media wisely able to adequately address cyber-related risks until
»» Apply strong privacy settings the legal implications are considered. Furthermore,
»» Don’t share personal information on business the organization could improve security but still be
accounts exposed to liability due to non-compliance. Work
»» Don’t share business information on personal with cybersecurity experts, as well as legal advisors,
accounts auditors, and consultants, to ensure that exposure
is minimized and the organization can focus on its
• When working from home, secure your home
network by applying best practices (see NIST SP mission.
800-46 Rev. 2), such as: Ask the difficult questions. Your colleagues may
»» Change your wireless router password, SSID, and not be asking the right questions, or may be avoiding
limit ability of others to find it addressing the hard ones. They may be ignoring the
»» Maximize encryption levels on your wireless requests of cybersecurity professionals within the
router organization. But chances are, they will listen to you.
»» Increase privacy settings on your browser
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections back to the
enterprise:
»» Use VPN access to corporate networks whenever
possible
»» Do not enter sensitive information on public
computers
»» Do not use public Wi-Fi without VPN
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
an issued cell phone
»» Physically protect your computer from theft and
unauthorized accessInformation Technology
Leveraging technology solutions for business The role of Information Technology in cybersecurity is
all about:
connectivity, productivity, and essential processes
1. Providing technical expertise for the security of
What Information information systems and associated technology
platforms
Technology does
2. Implementing and maintaining a robust multi-lay-
If you define, develop, test, deploy, support, maintain, ered (defense-in-depth) approach to the organiza-
and protect technology solutions for the organization, tion’s information security, consistent with industry
this applies to you. You are responsible for the “central best practices and compliant with applicable regula-
nervous system” of the business, managing the computing tions and standards
systems and networks that enable decision making and
communication, and then translating that content into 3. Responding to and mitigating security-related incidents
processes that run the business. You are likely involved in What Information Technology professionals should do:
interacting with end users to gather and deliver to their
• Provide technical expertise in support of the organi-
requirements. You may interact closely with the Human
zation’s cybersecurity program
Resources and Legal and Compliance functions to ensure
organization-wide awareness of, and adherence to, cyber- »» Ensure current knowledge in cybersecurity tools,
security policies. You may also be involved in interacting techniques, and procedures
with external vendors for technology acquisition and sup- »» Cross-train other IT roles with security func-
port. In the event of a cybersecurity incident, you would tions in order to develop a broader awareness of,
likely interact with service providers, law enforcement, and capacity to implement, cybersecurity best
and external cybersecurity organizations. practices
You matter to the organization, because you enable every- »» Collaborate proactively with other business func-
tions across the enterprise
one to communicate, capture data, process information,
and manage the systems that work depends on. Critical • Implement a robust cybersecurity program, with
assets, including confidential information, intellectual appropriate technical and process controls consistent
property, competitive differentiators, and customer data, with the organization’s risk mitigation strategy
can be properly used and protected because of your role. »» Leverage cybersecurity best practice frameworks,
maintained by authoritative entities such as the
National Institute of Standards and Technology
(NIST), Center for Internet Security (CIS), and
Your title includes words like… International Organization for Standardization
(ISO)
Technology, Information, IT, Infosec, Cybersecurity,
Data, Systems, Computer, Network, Telecommu- »» Work with external entities, such as consultants,
auditors, professional associations and product
nications, Database, Business Process, Software,
and service providers to identify the best tools for
Coding, Programmer, Web, Red Team, Blue Team the job
Information and systems you • Integrate security into IT design, architecture,
own, manage, or use deployment and routine operations
»» Consider security upfront, not as an afterthought
• Privileged accounts
»» Integrate security throughout the application
• Access controls to critical systems development, testing, staging, and deployment
• Active Directory and associated personnel process, including DevOps
information »» Leverage IT operational best practices to improve
• Results of cybersecurity assessments, audits security
and penetration tests • Establish and enforce robust security policies for
• Internal infrastructure, from servers and employees, contractors, and vendors
storage systems to network devices and • Establish, verify, and enforce robust cloud security
endpoint systems policies for the organization
• Externally-hosted (cloud-hosted) platforms »» Ensure that cloud service providers deliver the
and data level of security that the organization requiresYou can also read
