Applying CIA Concepts to Cyber Resilience

In classical information security practice [It is interesting to note that the need for information security is barely 30 years old and conventional practice is already considered “classical.”] an organization is expected to identify and categorize its critical assets;  evaluate security threats and vulnerabilities;  categorize the impact of those threats on the Confidentiality, Integrity and Availability of the assets; evaluate the likelihood that those threats might actually occur; and identify, implement and monitor “controls” which would mitigate the threats with the greatest likelihood and impact and thus reduce the risk to the organization.

The most committed organizations create a “culture of security” wherein everyone is encouraged to protect confidential information, is provided with policies to follow and training to recognize and report suspicious activity, and tools which monitor user and network behavior.

Yet, despite having the most advanced and innovative tools, providing continued warnings not to share credentials or click on adverse links, and making significant investment in monitoring, security breaches continue to occur on an alarming and regular basis.

The fact is that cyber security is no longer sufficient.  Organizations must put measures in place to respond and recover from cyber attacks and they will need to improve their business continuity management to ensure that if (when?) they are breached they can recover quickly and, importantly, avoid devastating financial losses.

The focus of Cyber Resilience is Recovery.  So let’s examine Cyber Resilience through the lens of CIA.

Confidentiality – How will the organization respond to a breach of confidentiality? What incident reporting mechanisms are in place to notify appropriate authorities, end users or customers?  What will the impact be on the business for improper or delayed reporting?  In the recent eBay breach the greatest criticism was not that the breach happened but that eBay did not report the breach in a timely fashion to it users.

Integrity – How will the organization respond if key data or control systems are manipulated?  How are monitoring systems configured to highlight malicious activity within the millions of events that are typically captured?

Availability – What alternate communication pathways and computer systems can be deployed if the core systems become unavailable due to failure or attack?  How long will it take to activate the alternate systems? How much data loss might occur during the failover process?

In summary, the key to a good Cyber Resilience program is to establish appropriate notification processes, enhance vigilance on network activity and plan for contingent systems if primary ones become unavailable.  The program must be tested on a regular basis and updated as regulations, personnel and systems change.

The good news is that the Ponemon Institute says, in their 2014 Data Breach Report, that companies who have implemented good business continuity management programs have 5-10% lower data breach costs than those firms who have not.

 

Speak Your Mind

*