Cybersecurity is Everyone's Job - A Publication of the National Initiative for Cybersecurity Education Working Group Subgroup on Workforce ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity is
Everyone’s Job
A Publication of the
National Initiative for Cybersecurity Education Working Group
Subgroup on Workforce Management at the
National Institute of Standards and Technology
1 | v1.0Abstract
This guidebook outlines what each member of an organization should do to protect it from cyber threats, based on the
types of work performed by the individual.
It is aligned with the strategic goals of the National Initiative for Cybersecurity Education (NICE), a program of the
National Institute of Standards and Technology (NIST). The need for this paper was identified by the Workforce Man-
agement subgroup of the NICE Working Group (NICEWG), a voluntary collaboration of industry, academic and
government representatives formed to facilitate, develop and promote cybersecurity workforce management guidance
and measurement approaches that create a culture where the workforce is managed and engaged to effectively address
the cybersecurity risks of their organization.
Disclaimer
This is not an official publication of the U.S. government. The guidelines provided in this guidebook are non-binding,
non-regulatory recommendations. Authors and editors are not liable for circumstances arising from the implementa-
tion of these recommendations.
Published October 2018
https://www.nist.gov/itl/applied-cybersecurity/nice/workforce-management-guidebook
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International License, at https://creativecommons.org/licenses/by-nc-sa/4.0
2 | v1.0Contents
Abstract.........................................................................................................................................................................2
Introduction..................................................................................................................................................................4
Building a Cyber-Secure Culture...................................................................................................................................6
Leadership, Planning, and Governance..........................................................................................................................7
Sales, Marketing, and Communications........................................................................................................................9
Facilities, Physical Systems, and Operations................................................................................................................11
Finance and Administration........................................................................................................................................13
Human Resources.......................................................................................................................................................15
Legal and Compliance.................................................................................................................................................17
Information Technology..............................................................................................................................................19
Appendix 1: Doing the Right Things...........................................................................................................................21
Appendix 2: Project Team...........................................................................................................................................22
Appendix 3: Methodology...........................................................................................................................................24
Appendix 4: Where to Learn More..............................................................................................................................25
3 | v1.0Introduction
We are the greatest vulnerability in any organization. encouraged to exercise good hygiene such as washing
In this era of persistent cyber threats, an organization can hands and seeking preventative care through immuniza-
be secure only with the active participation of everyone. tions, and even children are well versed in best practices
Unfortunately, many organizations limit security respon- for covering your mouth when you sneeze, handwashing
sibilities to designated security personnel that perform and so forth. Even when well-trained medical profes-
specialized security functions. Effective security must be sionals are delivering exceptional care in a robust health
enterprise-wide, involving everyone in fulfilling security care system, the spread of diseases is primarily prevented
responsibilities. Each member of the group, from the through good hygiene. Similarly for good “cyber hygiene,”
newest employee to the chief executive, holds the power when each of us takes appropriate care, we protect the
to harm or to help, to weaken or strengthen, the organi- larger community.
zation’s security posture. Another common misunderstanding is that organizations
This guidebook outlines what each of us should do to pro- just need to hire more technically-savvy cybersecurity
tect the organization, based on the types of work we do. professionals. Without a doubt, these skilled people
are very important. Without them, essential technical
safeguards could not be implemented, ongoing security
operations would not be conducted, and there would be
no one to respond to the next cyber incident. However,
Cybersecurity the largest “attack surface” of the organization is you and
me—the people who perform common functions: Lead-
Measures taken to protect a computer or computer system
ership, Planning, and Governance; Sales, Marketing, and
(as on the Internet) against unauthorized access or attack
Communications; Facilities, Physical Systems, and Oper-
(Merriam-Webster).
ations; Finance and Administration; Human Resources;
Legal and Compliance; and routine Information Techno
logy operations. Therefore, cybersecurity is everyone’s job.
Benefits of this Guidebook
• Helps you to know what you need to do, based on Who Can Use this Guidebook?
your role This guidebook is intended for every kind of organiza-
• Engages all functions and roles—technical and tion, from large government agencies and publicly-
non-technical—in securing critical information and traded corporations to nonprofits and small, family-
systems owned businesses, since all organizations must perform
• Provides essential, must-do-first guidance in plain common, essential activities. These functions include
language generating revenue, communicating with external cus-
tomers and stakeholders, delivering products and services,
• Turns the organization’s greatest vulnerability—its
people—into the organization’s greatest asset leading people, and managing financial and legal matters,
all of which depend on computing systems. Each of these
areas routinely exposes the organization to a variety of
Why this Guidebook is Needed cyber-related business risks. To reduce these risks, each
Contrary to the common misunderstanding that cyber person in each business function must be involved, un-
threats are a technology problem looking for a technology derstanding your role and taking individual responsibility
solution, the data clearly and consistently shows that em- for mitigating cyber risks.
ployees are the greatest vulnerability of any organization. In the following pages, you’ll find practical guidelines
This means that no matter how robust the technology for action, organized by business function. Many of
is, or how many cybersecurity policies the Chief Infor- these tasks are simple… so simple that they might seem
mation Security Officer (CISO) may have introduced, inconsequential. But these guidelines reflect proven best
the organization cannot be secure without all individuals practices developed by security experts from government,
doing their part, across all business functions, technical industry and academia.
and non-technical.
The cybersecurity of your organization depends on you,
Consider how dependent our public health is on the and here’s what you can do.
active participation of everyone. We are all educated and
4 | v1.0How to Use this Guidebook
This guidebook is organized by business function—those
essential activities which all organizations must perform
to at least some extent. Each function represents work
that may be performed by a number of formal job roles,
or they may be performed by one person, depending
on the size of the organization. They are intended for
full-time employees, part-time hires, leaders at all levels,
and those who perform tasks in that particular business
function, even if their primary role is elsewhere. The goal
is to build a cyber-secure workforce, with each person
doing their part to secure the organization.
The business functions are presented as seven categories:
»» Leadership, Planning, and Governance
»» Sales, Marketing, and Communications
»» Facilities, Physical Systems, and Operations
»» Finance and Administration
»» Human Resources
»» Legal and Compliance
»» Information Technology
Each section is written so that it may be used as a stand-
alone reference for that particular business function;
therefore, some of the guidelines will appear in multiple
sections.
Additional resources, references and information on
how this guidebook was developed are contained in the
appendices.
Please note that the information in this guidebook is not
intended to replace your organization’s security policies;
rather, it provides a supplemental quick reference of ac-
tions that each person can perform to ensure the organi-
zation’s cyber resilience.
This document can be shared as-is, or organizations may
tailor it to their needs and communication methods—in
materials such as booklets, webpages, publications, or
webinars. The intent is for users to understand how every-
one in an organization—across all business functions and
roles—can enforce the cybersecurity posture of their or-
ganization. For more information on acceptable use and
sharing, please refer to the Creative Commons licensing
terms for Attribution-NonCommercial-ShareAlike 4.0
International License, at https://creativecommons.org/
licenses/by-nc-sa/4.0
5 | v1.0Building a Cyber-Secure Culture
Your organization’s culture is critical to establishing a suc- Awareness Month is a particularly good time to empha-
cessful cybersecurity posture. Its culture must emphasize, size these themes.
reinforce, and drive behavior toward security. A resilient
workforce will not exist without a cyber-secure culture. Performance Management
Incentives and disincentives can have a profound impact
Mindset on human behavior. For real cultural change to occur in
Mindset is a critical component of culture. When we cybersecurity preparedness, individual performance goals
build awareness into the organizational culture, we must align with the goals of the organization. Performance
increase our ability to address cyber risks. Every organi- goals for security can include completion of required
zation is at risk, whether a small non-profit or a Fortune training, improved responses to phishing exercises, compli-
100 company. Given the prevalence of cyber attacks, we ance with policies, and avoidance of risky online behaviors.
need to stay alert and prepared. Mindset will drive appro- Financial and operational metrics are common in organiza-
priate behaviors at the individual level, contributing to tions; security metrics should be also.
the resilient workforce that every organization needs.
Technical and
Leadership Policy Reinforcement
The organization’s leaders set the tone. Leadership is Technical controls associated with human behavior can
the most important factor to influencing awareness and be implemented to reinforce cyber-secure culture. Just as
mindset. Leaders must embrace cybersecurity education, physical access controls reinforce the mental awareness of
awareness and best practices. Leaders must also support a physical perimeter, so can password policies, multi-
security investments, and champion cybersecurity in factor authentication and mobile device management
enterprise risk management. Deep technical knowledge solutions reinforce security culture. Policy at the organiza-
is not required from leaders; rather, they should model tional level can also drive implementation of controls by
good personal security habits based on sound guidelines. outlining the negative consequences of non-compliance.
Leadership involvement is critical for a cyber-secure
organization. There are many ways that these guidelines can be imple-
mented, reflecting the unique culture of each organiza-
tion. What matters is that they form the basis for devel-
Training and Awareness oping a cyber-secure culture by increasing awareness and
Once leaders foster a cyber-secure culture, the next step fostering the right mindset. With a sound cyber-secure
is to implement employee awareness training. These culture in place, each business function can focus on its
programs build an understanding of risks, and—most own contribution to protect the organization.
importantly—provide specific steps for mitigating them.
Training programs come in many forms; most involve
computer-based learning modules and practical exercises.
The use of social engineering, or manipulation, to spread
exploits via unsuspecting employees is an increasing risk.
They may have access to the targeted data or systems
themselves, or may be exploited to reach those who do. A
key element in a training program is hardening your em-
ployees to the reality of socially engineered exploits. No
program will lead to a sustained 100% success rate against
human-based exploits, but can substantially reduce the
volume and the impact of attacks; your cyber defenders
can focus on a smaller, more manageable set of incidents.
Another common way to help build cyber-secure culture
is through internal awareness campaigns. From posters
and newsletters to contests and prize drawings, organiza-
tions have found effective ways to generate “buzz” around
important security themes. While these methods should
be employed year round, October’s National Cybersecurity
6 | v1.0Leadership, Planning, and Governance
Setting overall direction, establishing priorities, service providers and educators
maintaining influence, and mitigating risks »» Regularly commission objective risk assessments
of the organization
»» Direct the implementation of cybersecurity best
What Leadership, Planning, and practice frameworks, maintained by authori-
Governance Does tative entities such as the National Institute of
Standards and Technology (NIST), Center for
If you are responsible for the overall strategic direction Internet Security (CIS), and International Orga-
of the organization, or for maintaining controls and nization for Standardization (ISO)
mitigating risks, this section applies to you. Leadership, • Include cyber risks in the enterprise risk
Planning, and Governance professionals are often the management process
most senior leaders, or are directly supporting strategic
»» Avoid treating cyber risks as a separate and mys-
decision makers. You may be involved in board proceed- terious matter only for technologists
ings, contribute as senior level management or manage a
complex government agency, with fiduciary responsibility »» Understand the organizational impacts of cyber
and budget authority. Or, you could be the owner-op- incidents
erator of a small business or franchise. What all these »» Consider risks introduced by partners and sup-
roles have in common is that final decisions are made by pliers
you, or you are supporting those who make those de- »» Conduct exercises and decision-making drills to
cisions. Because competing demands must be balanced familiarize yourself and your organization with
and limited resources allocated, you play a crucial role in how to respond to disasters and security inci-
establishing priorities and ensuring adherence to them. At dents
the same time, strategic risks to the organization must be »» Prioritize cyber-related risks to ensure appropri-
addressed. You are often the arbiter of difficult decisions. ate attention and effort is committed to their
You matter to the organization, because without you, mitigation
the organization lacks direction and cohesion. You are • Develop and maintain organizational information
the hub of the wheel—connecting to, coordinating, and security policies and standards
driving the many parts of the business. »» Ensure that information security policies are
informed by risk assessments, regulations, and
standards/best practices
The Role of Leadership, Planning,
»» Ensure organizational security policies are ap-
and Governance in Cybersecurity propriately implemented, institutionalized and
is All About: communicated
1. Managing and mitigating overall cyber-related busi- »» Be aware of relevant data protection / privacy
ness risks regulations and legislation to ensure that your
2. Establishing effective governance controls
3. Prioritizing and resourcing cybersecurity programs Your title includes words like:
4. Safeguarding the sensitive information you rely on for
Director, Board, Chairman, Chief, Executive, Command-
planning and decision making
er, President, Vice President, Partner, Principal, Owner,
5. Establishing a cyber-secure culture within the organi- Founder, Secretary, Consultant, Strategy, Governance,
zation Risk, Intelligence, Controls
What Leadership, Planning, and Governance Information and systems you own,
professionals should do: manage, or use:
• Understand cybersecurity basics and best practices well • Strategic plans
enough to enable sound decision making • Intellectual property
»» Establish a routine reporting process for cyber • Board and senior management proceedings
risks within the organization • Financial records
• Merger and acquisition information
»» Engage with trusted third parties to learn about
• Third-party recommendations and reports
cyber risks and their mitigations—this includes
• Routine communications of a sensitive nature
consultants, industry groups, and cybersecurity
7 | v1.0organization remains in compliance, e.g., Gener- • When traveling, secure your connections to the enter-
al Data Protection Regulation (GDPR), Health prise
Insurance Portability and Accountability Act »» Do not enter sensitive information on public
(HIPAA), Federal Information Security Manage- computers, such as in hotel lobbies, libraries and
ment Act (FISMA), Freedom of Information Act internet cafés
(FOIA), Sarbanes-Oxley (SOX), Family Educa-
tional Rights and Privacy Act (FERPA) »» Use VPN access to corporate networks whenever
possible
»» Have a schedule in place to regularly review and
update policies »» Do not use public Wi-Fi without VPN to trans-
mit sensitive information
• Promote the development of effective cross-functional
teams to accomplish cybersecurity goals for the orga- »» Use a dedicated wireless hotspot for internet
nization. access
• Adequately fund cybersecurity resource requests »» If a hotspot is not available, consider tethering to
a corporate or business-issued cell phone
»» Digital assets cannot be protected without hu-
man and technical resources; be ready to commit »» Consider using disposable phones when travel-
resources aligned to a cohesive cybersecurity ing in regions with questionable data security or
strategy excessive surveillance
»» Plan for future needs »» Physically protect your computer from theft and
unauthorized access
• Protect sensitive strategic, financial, legal, and risk
information • Use social media wisely
»» Share only necessary information »» Apply strong privacy settings
»» Ensure the information is retained/destroyed in »» Don’t share personal information on business
compliance with the organization’s data retention accounts
policies or external regulations »» Don’t share business information on personal
»» Use strong encryption, strong passwords, and accounts
other methods to secure files when you transfer
them to others
• Protect access to online file sharing or decision
support platforms by applying best practices, such as:
»» Strong passphrases
»» Unique passphrases for each critical account
»» Multi-factor authentication
What we all should do:
• Ensure that all operating systems and applications are
at their most current and secure version by enabling
automatic updates from the vendor
• When working from home, secure your home network
by applying best practices (see NIST SP 800-46 Rev. 2),
such as:
»» Change your wireless router password, SSID, and
A note to leaders
limit ability of others to find it
»» Maximize encryption levels on your wireless You are ultimately responsible. Work with cybersecurity
router experts—externally and those you hire internally—to es-
tablish sound guidelines, be familiar with those guidelines,
»» Increase privacy settings on your browser
implement them yourself, and ensure that your teams know
»» Use Virtual Private Networks (VPN) to access what they’re expected to do.
corporate networks whenever possible
Don’t be afraid to ask questions. Nobody expects you
»» For additional security, protect browsing privacy
to understand cyber as well as you understand finance or
through encrypted browsers
operations, but everyone expects you to mitigate risks to
»» For additional security, protect personal email the business—and cyber risks are real. Your job depends
accounts through encrypted email on how well you address the real risks of an often-unfamil-
»» iar subject.
8 | v1.0Sales, Marketing, and Communications
Raising awareness, communicating, generating • Develop a communications plan for the inevitable
cyber incident
revenue, and interacting with customers
»» Participate in internal incident response team
planning
What Sales, Marketing, and »» Become familiar with the cyber incident response
Communications Does plan
»» Participate in “table-top exercises” and other
If you are interacting with customers, clients, donors or
planning efforts in anticipation of cyber incidents
citizens, this applies to you. Sales, Marketing, and Com-
munications professionals are those who engage prospec- »» Draft a communication plan consistent with
tive and existing customers to drive awareness of products regulatory requirements, legal considerations,
industry best practices, and commitments made
and services, stimulate interest, and generate revenue
to external stakeholders
through sales or other means. You may also be involved
in public- and media-facing communications. You are • Protect shared files
the messengers of the organization, carrying news of the »» Use encryption, passwords, and other methods
good things you provide to those who need to know, and to secure files when you transfer them to/from
responding to current events. This includes the crucial customers and partners
work of converting business ideas into real business • Protect access to your Customer Relationship
deals. Along with the people who deliver the products or Management (CRM) platform by applying best prac-
services, you are often the most visible, outward-facing tices, such as:
people in your organization. »» Strong passphrases
You matter to the organization, because without you, »» Unique passphrases for each critical account
ideas, products and services sit idle—you make the orga-
»» Multi-factor authentication
nization a vibrant part of the world around it.
»» Restricting levels of access by need
The Role of Sales, Marketing, and »» Removing employees or vendors when they are
no longer involved
Communications in Cybersecurity • Protect customer information in quotes, purchase
is All About: orders, invoices, payments, and presentations
1. Protecting the company brand, reputation and the »» Share only necessary information
trust of citizens, customers, and partners »» Ensure the information is destroyed in com-
2. Preventing/limiting information loss as you interact pliance with the organization’s data retention
with the outside world policies or applicable regulations
3. Reducing risks to the enterprise network presented by • Bring customers’ cyber concerns back into the orga-
remote work, telecommuting, and travel nization.
What Sales, Marketing, and Communications
professionals should do: Your title includes words like:
• Communicate the importance of cybersecurity matters Sales, Accounts, Client, Revenue, Business Development,
to your stakeholders Donor Relations, Advertising, Social Media, Marketing,
Demand Generation, Communications, Media Relations,
»» Access reputable sources to develop a well-rounded
Analyst Relations, Public Affairs, Community, Stakeholder,
understanding of how information and systems
Engagement, Relationship Manager
fit into the ecosystem of the people you interact
with—this includes consultants, industry groups, Information and systems you
cybersecurity service providers and educators own, manage, or use:
»» Inventory the types of information entrusted to
the care of your organization, and consider the • Customer data •Public announcements
potential impact of data compromise for your • Partner data •Public-facing websites
customers and partners • Contracts •Social media accounts
• Financial data •Press releases
»» Understand the potential impact of a cyber in- • Customer support portals
cident to your organization, including customer • Customer Relationship Management (CRM) systems
trust and competitive advantage
9 | v1.0• Be aware of the implications of conducting business
in foreign jurisdictions with different regulations
such as the European Union’s General Data Protec-
tion Regulation (GDPR)
What we all should do:
• Ensure that all operating systems and applications are
at their most current and secure version by enabling
automatic updates from the vendor
• When working from home, secure your home network
by applying best practices (see NIST SP 800-46 Rev. 2),
such as:
»» Change your wireless router password, SSID, and
limit ability of others to find it
»» Maximize encryption levels on your wireless
router
»» Increase privacy settings on your browser
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections to the enter-
prise
»» Do not enter sensitive information on public
computers, such as in hotel lobbies, libraries and
internet cafés
»» Use VPN access to corporate networks whenever
possible
»» Do not use public Wi-Fi without VPN to trans-
mit sensitive information
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
a corporate or business-issued cell phone
»» Consider using disposable phones when travel-
ing in regions with questionable data security or
excessive surveillance
»» Physically protect your computer from theft and
unauthorized access A note to leaders
• Use social media wisely
Implementing cybersecurity best practices is hard to do
»» Apply strong privacy settings with external-facing employees, particularly if they are out
»» Don’t share personal information on business in the field most of the time. The most effective aspect of
accounts leadership is to lead by example: know these guidelines,
implement them yourself, and ensure that your teams
»» Don’t share business information on personal understand what they’re expected to do.
accounts
Demand cyber-secure resources. If your organization
does not provide secure connections, such as multi-factor
authentication, VPN, and/or mobile hotspots, demand it!
Your job, and the organization’s reputation, depends on
maintaining the trust of citizens, customers, and partners.
10 | v1.0Facilities, Physical Systems, and Operations
Designing and delivering products and services, »» Engage trusted third parties to develop an under-
standing of cyber risks in the physical environ-
managing operations, and maintaining the ment
physical environment »» Perform a comprehensive assessment of the phys-
ical environment to identify vulnerabilities and
weaknesses
What Facilities, Physical
• Ensure appropriate physical security controls are im-
Systems, and Operations Does plemented at facilities
If you are designing and delivering the organization’s • Develop a comprehensive plan to improve the
products and services to your customers, or are part of security of control systems
the operations to support delivery, or are managing and »» Leverage cybersecurity best practice frameworks,
maintaining the physical environment, this section ap- maintained by authoritative entities such as
plies to you. Since the types of products and services vary National Institute of Standards and Technology
greatly, Facilities, Physical Systems, and Operations covers (NIST), Center for Internet Security (CIS), Inter-
a diverse range of roles from site management to product national Organization for Standardization (ISO),
engineer to operations analyst to distribution manager, and ISA99
and beyond. You deliver the organization’s value to the • Incorporate cybersecurity measures into the safety
world, fulfilling its primary purpose. Your role directly program
impacts citizens, customers, and partners who depend on »» Ensure employee training includes awareness of
your organization’s products and services. cyber risks in the physical environment
You matter to the organization, because successful devel- »» Leverage the safety program as another means to
opment and delivery of its products and services de- foster a cyber-secure culture
pends on you. The organization would cease to function
»» Partner with IT to develop a system for guests
without the capabilities you provide, and the primary who access the physical environment: limiting di-
purpose of the organization would go unfulfilled. Your rect access, providing a restricted Wi-Fi network,
performance is also crucial to maintaining a competitive etc.
advantage—what makes your organization unique and
• Protect intellectual property
respected—in a crowded, noisy, and busy world. Fur-
thermore, the technology systems you operate, including »» Use encryption, passwords, and other methods
those that manage physical processes (Operational Tech- to secure files when you transfer them to/from
nology (OT), rather than Information Technology (IT)), customers and partners
introduce potential risks to life and limb, making your »» Share only necessary information
security readiness paramount. »» Ensure sensitive information is destroyed in
compliance with the organization’s data retention
The Role of Facilities, Physical policies or external regulations
Systems, and Operations in
Cybersecurity is All About: Your title includes words like:
1. Protecting the uniqueness of the products and ser- Operations, Delivery, Consultant, Services, Engineering,
vices that your organization delivers Product Development, Process Control, Workplace, Plant,
Facilities, Fabrication, Office, Maintenance, Logistics, Sup-
2. Securing physical systems from compromise due to ply Chain, Real Estate, Design, Manufacturing, Safety
all hazards, including physical and cyber risks
Information and systems you
3. Integrating cybersecurity with physical safety and own, manage, or use:
security
• Intellectual property
What Facilities, Physical Systems, and Operations • Plans, diagrams and schematics
professionals should do: • Physical control systems
• Identify cyber risks to the resilience of physical sys- • Supervisory Control and Data Acquisition (SCADA)
tems, including control systems systems
• Building management systems (BMS)
»» Engage IT and OT stakeholders • Physical security systems
11 | v1.0»» Prevent remote access to systems unless absolutely »» Don’t share personal information on business
necessary accounts
• Consider security risks and mitigations in the supply »» Don’t share business information on personal
chain accounts
»» Ensure security controls are embedded within
products where necessary
»» Ensure suppliers adhere to security best practices
• Protect access to your information repositories by
applying best practices, such as:
»» Strong passphrases
»» Unique passphrases for each critical account
»» Multi-factor authentication
What we all should do:
• Ensure that all operating systems and applications are
at their most current and secure version by enabling
automatic updates from the vendor
• When working from home, secure your home network
by applying best practices (see NIST SP 800-46 Rev. 2),
such as:
»» Change your wireless router password, SSID, and
limit ability of others to find it
»» Maximize encryption levels on your wireless
router
»» Increase privacy settings on your browser
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections to the enter-
prise
»» Do not enter sensitive information on public
computers, such as in hotel lobbies, libraries and
internet cafés
»» Use VPN access to corporate networks whenever
possible
»» Do not use public Wi-Fi without VPN to trans- A note to leaders
mit sensitive information
»» Use a dedicated wireless hotspot for internet Cultural barriers are as big as any other factor when it
access comes to cybersecurity in industrial environments and
physical systems. It will require persistence, education,
»» If a hotspot is not available, consider tethering to and leadership by example to build bridges between oper-
a corporate or business-issued cell phone ational technology and information technology profession-
»» Consider using disposable phones when travel- als, as well as between cybersecurity and industrial safety
ing in regions with questionable data security or advocates.
excessive surveillance
Address risks holistically, across all domains. Insist
»» Physically protect your computer from theft and that your employees do the same. Just as safety culture is
unauthorized access driven by good leadership, sound performance manage-
• Use social media wisely ment, and effective training, so is cybersecurity culture in
»» Apply strong privacy settings operational environments.
12 | v1.0Finance and Administration
Providing planning, forecasting, accounting, The Role of Finance and
transactional and administrative support to all Administration in Cybersecurity is
functions within the organization All About:
1. Integrating cyber risks into the enterprise risk man-
What Finance and agement process
Administration Does 2. Resourcing cybersecurity initiatives consistent with
security strategy, and balanced with other IT invest-
If you are involved in managing the organization’s finances, ments
from planning and budgeting to accounting and processing
3. Maintaining the confidentiality and integrity of
transactions, this section applies to you. You are responsible
sensitive financial information to ensure security and
for ensuring that each part of the organization has the abili- compliance with applicable policies
ty to pay for goods and services, operate within a budget,
track revenues and expenditures, and conduct business What Finance and Administration professionals should do:
with external entities—from customers to suppliers. You • Ensure that cyber risks are integrated into the enter-
may also provide administrative support to the Planning prise risk management process
and Governance function or manage office operations.
»» Identify cyber-related risks to the enterprise early
While this function includes all persons with a full-time
in the risk management process, not as a separate
role in these areas, it also applies to all executives, manag- activity or late addition
ers, and associates who handle financial and administrative
matters; in other words, just about everyone. »» Understand the many different business effects of
cyber threats, which range from business disrup-
In many cases, the Finance and Administration function tion and loss of credibility to legal liability and
includes enterprise risk management, with associated physical damage
processes and personnel reporting into a Chief Financial • Provide sufficient funding to enable the success of the
Officer (CFO) or similar role. Internal audit and compli- organization’s cybersecurity strategy
ance functions may also be included.
»» Reference the organization’s security strategy and
You matter to the organization because nothing can external best practice frameworks to help priori-
happen without the ability to maintain financial health, tize investments
perform essential transactions, manage business risks and »» Work with cybersecurity leaders to understand
support the Planning and Governance function. how their resource requests align with strategy
(which, in turn, should align with enterprise risk
management); differentiate between the must-
Your title includes words like… haves and nice-to-haves
Finance, Financial, Comptroller, Accountant, Budget, Risk, »» Develop a complete view of security-related
Compliance, Contracting, Purchasing, Procurement, Buy- spending, which is often spread across multiple
er, Acquisitions, Vendor Management, Auditor, Examiner, functional areas and budget allocations
Loan, Trader, Underwriter • Collaborate with other business functions on a plan
for emergency spending
Information and systems you
own, manage, or use »» In the event of a cyber incident, incident re-
sponse plans should also incorporate how to
• Financial performance records purchase needed equipment or services
• Budgets
»» Vendors and contractors should already be vetted
• Financial assessments and audit reports
and in place if such an incident should occur
• Tax filings (e.g. IRS forms)
• Public filings (e.g. SEC forms) »» Contingency plans should be made for loss of
• Planning tools and platforms financial systems to ensure continuity with mini-
• Enterprise risk management tools and platforms mal disruption
• Risk assessments and audit reports »» Consider purchasing cyber risk insurance to off-
• Compensation and benefits information set the financial impact of security incidents
• Accounts payable systems
• Accounts receivable systems
»» Ensure that the emergency plan includes com-
• Contracts
pensating services for affected parties, such as
credit monitoring services
13 | v1.0• Work with Legal and Compliance, and Information limit ability of others to find it
Technology, to ensure contracts with third parties »» Maximize encryption levels on your wireless
include clauses for effective oversight of supplier router
cybersecurity, notification of incidents, and adherence
to relevant industry and government policies and regu- »» Increase privacy settings on your browser
lations »» Use Virtual Private Networks (VPN) to access
• Define the appropriate balance of resource allocation corporate networks whenever possible
between run-the-business or improve-the-business and »» For additional security, protect browsing privacy
secure-the-business investments through encrypted browsers
»» While the former can demonstrate a closer align- »» For additional security, protect personal email
ment to organization goals and performance, a accounts through encrypted email
rush to implement them often introduces new
• When traveling, secure your connections to the enter-
risks
prise
»» If done properly, improvements in IT operations
»» Do not enter sensitive information on public
can also improve security and compliance, since
computers, such as in hotel lobbies, libraries and
many foundational controls for security (such
internet cafés
as asset profiling, vulnerability management,
configuration and patch management and access »» Use VPN access to corporate networks whenever
management) are essential to a well-run IT envi- possible
ronment »» Do not use public Wi-Fi without VPN to trans-
• Protect the organization’s financial viability and mit sensitive information
reputation by ensuring compliance with financial »» Use a dedicated wireless hotspot for internet
laws, regulations, rules, standards, and policies (both access
external and internal)
»» If a hotspot is not available, consider tethering to
»» Understand the regulatory requirements as- a corporate or business-issued cell phone
sociated with financial information, such as
Sarbanes-Oxley (SOX), Gramm-Leach-Bliley »» Consider using disposable phones when travel-
Act (GLBA) and Payment Card Industry Data ing in regions with questionable data security or
Security Standards (PCI DSS) excessive surveillance
»» Support the cybersecurity team’s efforts to secure »» Physically protect your computer from theft and
systems which are impacted by these require- unauthorized access
ments • Use social media wisely
• Protect sensitive strategic, financial, legal, and risk »» Apply strong privacy settings
information »» Don’t share personal information on business
»» Share only necessary information accounts
»» Ensure the information is destroyed in com- »» Don’t share business information on personal
pliance with the organization’s data retention accounts
policies or external regulations
»» Use encryption, passwords and other methods to
secure files when you transfer them to others
• Protect access to any online file sharing or decision
support platform by applying best practices, such as:
A note to leaders
»» Strong passphrases
»» Unique passphrases for each critical account As Finance and Administration leaders, you are often the
default arbiter for resource demands among the other
»» Multi-factor authentication business functions. At the same time, there are many
What we all should do: decisions that must be influenced or made by you in
• Ensure that all operating systems and applications are organizational planning, enterprise risk management, and
at their most current and secure version by enabling resource allocation in which you are not the subject matter
automatic updates from the vendor expert—but the decisions must be made.
• When working from home, secure your home network Get smart about cybersecurity and enterprise risk. Your
by applying best practices (see NIST SP 800-46 Rev. 2), job, and the financial health of the organization, depends
such as: on your ability to make reasonable recommendations and
»» Change your wireless router password, SSID, and decisions where there are many trade-offs.
14 | v1.0Human Resources
Planning, hiring, and supporting the devel- cybersecurity-specific roles which can perform
cybersecurity functions
opment, retention, and compensation of the
»» Apply standard lexicon to internal planning con-
organization’s workforce versations, to ensure a common understanding
across business functions
What Human Resources Does • Ensure cybersecurity knowledge, skills, and abilities
are incorporated into employee training and develop-
If you are responsible for the management and optimiza- ment programs
tion of the organization’s human resources—from entry-lev-
• Mitigate risks introduced by new hires by performing
el staff to senior executives—as well as external stakeholders
background checks
(job candidates to recruiters, consultants, human resources
associations, and benefits providers), this applies to you. • Require and track participation in cybersecurity train-
You direct human resource strategy in alignment with the ing and awareness programs for all employees across
the enterprise
organization’s strategy. Your role includes human resources
policies and management, talent acquisition and develop- • Leverage human resources best practices to support
ment, workforce and succession planning, employee rela- retention of critical cybersecurity roles
tions and engagement, culture and diversity, performance • Be vigilant to ensure selection of vendors that can
management, and compensation and benefits. You may effectively maintain the confidentiality of employee
also be involved in maintaining records in human resources personal information, which frequently includes pro-
administration portals and talent acquisition tools. tected health information
You matter to the organization, because without your • Protect access to your human resource management
expertise and efforts to acquire, cultivate, and retain the platform by applying best practices, such as:
organization’s most valuable asset, its people, the orga- »» Strong passphrases
nization would not possess the knowledge, skills, and »» Unique passphrases for each critical account
abilities necessary to succeed. Because of you, best prac-
»» Multi-factor authentication
tices for human resource management can be applied in a
consistent manner. • Protect sensitive information in employee recruiting,
performance, compensation, and benefits:
»» Share only necessary information
The Role of Human Resources in
»» Ensure the information is destroyed in com-
Cybersecurity is All About: pliance with the organization’s data retention
1. Implementing best practices in organizational change policies or external regulations
management, employee training, and performance »» Use encryption, passwords, and other methods
management to enable a cyber-secure culture to secure files when you transfer them internally,
2. Ensuring that critical cybersecurity roles are filled, or externally with stakeholders such as recruiters,
consistent with the NICE Cybersecurity Workforce
Framework, and that employees remain current on
necessary knowledge, skills and abilities Your title includes words like:
Human Resources, Human Capital, People, Talent,
3. Safeguarding sensitive employee information
Workforce, Recruitment, Acquisition, Labor, Organizational
4. Spearheading efforts to mitigate the risks of insider Design, Training, Benefits, Compensation, Performance
threat Management
What Human Resources professionals should do: Information and systems you
own, manage, or use:
• Leverage NIST Special Publication 800-181, Na-
tional Initiative for Cybersecurity Education (NICE) • Employee data
Cybersecurity Workforce Framework to deploy human • Human resource information systems
resources to the proper cybersecurity roles • Recruitment and onboarding systems (applicant tracking
»» Reference this framework for workforce plan- systems)
ning, competency development, talent acquisi- • Performance management systems
tion, and retention • Succession planning models
• Benefits administration systems
»» Reference this framework to identify non-
15 | v1.0potential hires, etc.
• Ensure the accounts of terminated employees are
closed promptly
»» Immediately notify IT of pending or actual
terminations
»» Update directories with new status, to ensure cas-
cading of permissions changes across platforms
and applications
»» Update HR records accordingly
What we all should do:
• Ensure that all operating systems and applications are
at their most current and secure version by enabling
automatic updates from the vendor
• When working from home, secure your home network
by applying best practices (see NIST SP 800-46 Rev. 2),
such as:
»» Change your wireless router password, SSID, and
limit ability of others to find it
»» Maximize encryption levels on your wireless
router
»» Increase privacy settings on your browser
»» Use Virtual Private Networks (VPN) to access
corporate networks whenever possible
»» For additional security, protect browsing privacy
through encrypted browsers
»» For additional security, protect personal email
accounts through encrypted email
• When traveling, secure your connections to the enter-
prise
»» Do not enter sensitive information on public
computers, such as in hotel lobbies, libraries and
internet cafés
»» Use VPN access to corporate networks whenever
possible
»» Do not use public Wi-Fi without VPN to trans-
mit sensitive information
»» Use a dedicated wireless hotspot for internet
access
»» If a hotspot is not available, consider tethering to
a corporate or business-issued cell phone A note to leaders
»» Consider using disposable phones when travel- Human resource professionals have always played an
ing in regions with questionable data security or important role in addressing business risks, ranging from
excessive surveillance natural disasters and workplace violence to lawsuits and
»» Physically protect your computer from theft and lay-offs. Cyber-related business risks are no different: they
unauthorized access cannot be effectively addressed without the implementa-
tion of best practices in workforce management.
• Use social media wisely
»» Apply strong privacy settings Be proactive in working with other business functions
to address cyber-related risks. Early involvement is the
»» Don’t share personal information on business key to ensuring that the right people are in the right roles,
accounts with the right knowledge, skills, and abilities, doing the
»» Don’t share business information on personal right things.
accountsz
16 | v1.0Legal and Compliance
Ensuring compliance with laws, regulations and ate coverage
standards, mitigating risk, and addressing legal »» Establish and enforce information classification
and access processes
matters
»» Leverage existing best practices for compliance
enforcement
What Legal and Compliance Does »» Ensure third-parties adhere to organizational
If you are focused on mitigating or responding to legal cybersecurity policies through contractual terms,
risks or compliance matters, this applies to you. You such as Service-Level Agreements (SLAs)
do this in large part by ensuring that the organization • Actively participate in the enterprise risk management
remains compliant with the numerous laws, regulations, process, working with Planning and Governance,
and standards that apply to it. You may also respond to Finance and Administration, and other business func-
external inquiries, challenges or complaints, as well as tions to mitigate risks in a holistic manner
internal matters of a sensitive nature. • Implement measures to mitigate risks introduced by
partners and suppliers
You are close advisors to senior leaders, helping to set
policies and priorities in a manner that balances the orga- • Actively support the organization’s incident responders
nization’s primary purpose with the risks to which it may during a suspected breach, including taking appro-
be exposed. You are highly responsive to legal threats, and priate steps to preserve legal privilege to the extent
possible
may become the focal point of interaction with those out-
side the organization when legal or compliance matters • Conduct post-incident law enforcement engagement,
need to be addressed, such as during litigation, court pro- vendor notifications and public notifications as re-
ceedings, audits, and when law enforcement is involved. quired
• Protect access to any online file sharing or decision
You matter to the organization, because you ensure that
support platform by applying best practices, such as:
it remains in good standing with laws, regulations and
standards, allowing it to focus on its core competencies. »» Strong passphrases
Without you, the organization could easily find itself in »» Unique passphrases for each critical account
trouble, and subject to criminal, civil and audit liabilities. »» Multi-factor authentication
• Protect sensitive legal and compliance information
The Role of Legal and Compliance »» Share only necessary information
in Cybersecurity is All About: »» Ensure the information is destroyed in com-
1. Minimizing liabilities associated with the organiza- pliance with the organization’s data retention
tion’s cybersecurity posture policies or external regulations
2. Ensuring compliance with cybersecurity laws, regula-
tions, and standards Your title includes words like:
3. Addressing the legal implications of incidents when General Counsel, Corporate Counsel, Inspector General,
they arise Internal Audit, Legal, Compliance, Risk, Privacy Officer,
Attorney, Investigator, Paralegal, Legal Assistant, Import/
What Legal and Compliance professionals should do: Export Compliance
• Understand the legal implications of cybersecurity in
order to enable sound risk mitigation Information and systems you
»» Engage with credible third parties to learn about own, manage, or use:
cybersecurity and law—this includes professional
• Articles of incorporation, charters and formation docu-
associations, industry groups, consultants, and
ments
educators
• Contracts and agreements
»» Remain current on emerging regulations and • Compliance reports
standards • Audit reports
• Implement an effective compliance program for the • Legal briefs
organization • Communications with retained law firms
• Communications with law enforcement agencies
»» Assess the organization’s exposure to laws, regula- • Databases and file storage for Legal and Compliance teams
tions, and industry standards to ensure appropri-
17 | v1.0You can also read
