Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part nine in our series on Canada's Digital Privacy Act)
In the previous blogs of this series, we covered the five major Functions of the NIST Cybersecurity Framework (CSF). We explained how these Functions break down into their respective Categories, Subcategories, and Informative References. We also discussed how the NIST CSF can help your organization to best prepare for the Canadian Digital Privacy Act (DPA). Symantec recommendations are based on decades of research and close collaboration with our partners and customers across numerous industries. We’ve seen large organizations develop outstanding cybersecurity programs and we’re able to notice patterns that typically occur when developing successful organizational cyber defensive teams.
Appointing a CISO and Task Organizing for Cyber Success
Achieving success on this journey typically begins by appointing a Chief Information Security Officer (CISO) who is a committed cybersecurity leader who can effectively develop and drive policy, implement procedures, and provide proper cyber training for your staff across all organizational levels. Hiring such a leader ensures that your organizational cyber audits and related compliance activities are not simply paper exercises, but that those activities foster realistic confidence in your cyber preparedness. Although many organizational structures require the CISO to report directly to the Chief Information Officer (CIO), you should consider appointing your CISO as an “organization chart peer” to your Chief Information Officer (CIO). This type of CISO role allows the CISO to develop his or her own reporting relationships with access to the CEO and Board of Directors, with a commensurate budget and executive support to invest in a strong cybersecurity program with supporting processes and defensive technologies.
Imagine if your company’s cybersecurity team served as an elite example to a myriad of organizations across Canada. Rather than “build” cyber hygiene components “around” existing legacy IT systems, imagine if your business could effectively “clean house” and remove insecure technologies and broken processes and replace them with IT systems and automated procedures that have security baked in from inception rather than tacked on as an afterthought. Imagine also if your business was able to understand and anticipate new, emerging cyber threat vectors and take fast, proactive, defensive countermeasures – almost in real-time – and prior to adversaries attacking your systems through those new attack surfaces.
Once the right CISO is in place within an organizational structure that allows for energetic cyber leadership, that CISO can implement policies and continuously review them as they are implemented. Examples of policies that should be developed and put in place for acceptable use, security awareness training, BYOD, flash/USB drive use, incident response, vendor relationship management (and vendor risk management), outsourcing activities such as cloud deployments, and DPA.
Centralizing, Rationalizing, and Managing IT Assets to Include Hardware, Software, Hosted Solutions, and Cyber Tools
A centralized asset identification and asset management system should then be put in place. You can’t conduct proper defense, and can’t realize cost reductions, if you do don’t know what hardware and software you have deployed throughout your enterprise. In essence, you can’t protect what you don’t know you have or that you can’t see. Hardware should be actively managed via tools that conduct network device inventory, and then track those devices throughout their lifecycle from their initial procurement through their end-of-life tech refresh activities. In this way, only authorized devices are given access to network infrastructure and resources, and unauthorized and unmanaged devices are found, prevented from gaining access, and removed. Likewise, with regards to software, rigorous software discovery should occur at a regular cadence to identify rogue applications that have found their way inside the trusted perimeter. A mature, predictable, reliable patch management regimen should be in place to identify operating system and application patches that are needed, testing and evaluating such patches, and then rolling those approved and tested patches across the enterprise should occur on a regular, well tracked basis. Lastly, rogue hosting solutions should likewise be identified and blocked.
Once a professional CISO is in place, and the above mentioned policies, procedures, and asset tracking methods are implemented, the business of identifying, procuring, and deploying cybersecurity and audit tools should occur. If existing security tools are in place, a top to bottom review of those security tools should occur in order to remove duplicative tools, reduce licensing costs, improve security insight, and prevent such tools from causing harm on the network.
Data Governance, Data Classification, & Configuration Management
Rules for proper data governance should be put in place to insure that sensitive data is tracked and secured. The new CISO should know who owns what data sets, and those data sets should be classified for their level of sensitivity and tagged for use as Sensitive, Internal, or Public. Information Exchange Agreements should also be reviewed and periodically reassessed to insure that your business is only sharing sensitive information with trusted downstream partners who have an operational need to know and business needs that justify the added risk posture.
Configuration Management should then be put in place to establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations, and mobile devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. If your business relies not just on Information Technology (IT) assets but also on Operational Technology (OT) assets, such as SCADA systems or Internet of Things (IoT) devices, these devices should also be rigorously and consistently reviewed for proper configuration as well. Proper Configuration Management entails conducting change control approvals before deployment, along with risk and vulnerability assessments of existing infrastructure. The goal is to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
Building Defense-In-Depth
The new CISO will likely establish a robust, defense in depth posture for your business. Technologies such as firewalls, IPS/IDS, web proxy, DLP, SSL visibility/inspection, encryption, automated audit & compliance reporting, multi-factor authentication (MFA), cloud access security broker (CASB), and cloud based e-mail security infrastructure are all likely candidates for finishing out a robust cyber security build that meets the spirit and the guidance found within the NIST CSF.
As a cybersecurity leader, Symantec recommends a comprehensive cybersecurity program be put in place to meet your organization’s cyber defense needs. Your goal should be to fully protect your people, data, and devices from both external and internal attacks and data loss. Many Symantec solutions are currently capable of feeding directly into such a programmatic approach. As your business selects various products to achieve specialized cyber objectives and to build out or enhance your DPA strategy, our team is willing to help. Click here when you are ready to work with our specialists.
In the meantime, for more information on anything you've read as part of this series on Canada's Digital Privacy Act, please visit our webpage that has links for a white paper, a webcast and infographic on the topic.