The stakeholders in making safe sovereign cyberspace have to agree on the common performance indicators to associate acceptable, actionable, and auditable national cybersecurity plans.
Republic Act 10844 which created the Department of Information and Communications Technology has identified the mandated objective to be fulfilled by a government agency related to cybersecurity.
“Ensure and protect the rights and welfare of consumers and business users to privacy, security and confidentiality in matters relating to ICT, in coordination with agencies concerned, the private sector and relevant international bodies;” (Section 6-IV)
The regulatory body on cybersecurity and data privacy believe their rules and regulation are active providers of legitimate resources for the required investment and competence to achieve the statutory goals and to deliver published implementing rules.
A cybersecurity strategy and plan is a governance documented output on what composes the holistic view of effective performance, resource requirement, and ethical behavior to achieve the registered legal purpose of the government agency and business enterprise.
The legal purpose is made tangible by the product and service delivery system of value creation with recognized incumbent authority, operation environment, and time horizon of realizing the vision, mission, and goals of the authorized strategy.
Authorized strategy is the communicated intention and the opted means to achieve the visualized, documented, and agreed destiny of interest be protected and benefit to be realized.
Interest and benefit are something valued, funded, scheduled, scoped, ruled, and organized by the primary stakeholders in the program, project, and operation of a service organization or business enterprise.
The strategy outlines the enabling principles, policies, and standards on which the right things to do are anchored. It defines the risk criteria for the control requirements that underpin an understanding of the strategic actions to be planned. The consequences of ”take-action or no-action” on the right things to do are elaborated, analyzed, and agreed upon by the stakeholders.
The cybersecurity strategy and plan represent what governance and management know clearly, coherently, and completely about the following:
1. Common stakeholder and agreement on the interest to be protected and benefits to be realized with security and privacy.
2. Common principles to ascertain quality and quantity in value creation and consumer relationships in sovereign cyberspace.
3. Normative reference to link mission, vision, and goals that are used to measure DONE of implemented strategy and plan as valued, scheduled, scoped, and funded.
4. Inventory of the organization’s critical configuration items to support the digital technology-enabled services of value creation and customer relationship
5. Status report on actual government and private sector compliance for registration, certification, and documentation requirements as prescribed by existing regulations and policy
6. Security incident reports derived from the monitoring and response activity of NCERT, and shared cyber threat intelligence of varied interest groups on security and privacy
7. Prioritized cybersecurity risk mitigation is supported by actual data on actual non-compliance or omitted controls on cybersecurity and data privacy as ruled by the Department of Information and Communications Technology – DICT
8. Action plan and prioritized project with guaranteed funds for execution. Strategy and plan in government are living documents to support procurement with the authorized budget in the yearly government appropriation act.
In cybersecurity, governance, and management succeed what they know, and they fail in what they do not understand to demonstrate control.
Accountability and responsibility report success with what they procured, installed, operated and maintained to deliver the communicated objectives for the promised outcome.
Improvement in cybersecurity operations is only true when governance and management are measuring performance with standards, transparency, and participation.
The planning of cybersecurity strategy is anchored on commonly understood knowledge content that communicates with clarity, coherence, and completeness the organization, risk, control, investment, and schedule of achieving the definition of secure sovereign cyberspace.
- The cybersecurity risk criteria and the threat landscape derived from data provided by the National Emergency Response Team
- The adopted cybersecurity function, and the authorized organization structure of the Cybersecurity Officer
- The mandated administrative, technical, and physical security controls in order to protect the critical information infrastructure of the digital technology-enabled services in government and business.
- The value stream and supply chain of cybersecurity products and services to support the implementation of the plan
- The fund source and allocation commitment that is needed to enable the planned action to deliver mandated administrative, technical, and physical control objectives to address the evaluated cybersecurity risk and assessed vulnerabilities.
- The agreed implementation schedule to realize the risk mitigation measures
The mission, vision, and goals are fully supported by statutory guidance and international community-driven doctrine on the trust principle, quality performance, and proven practice on cybersecurity, information security, data privacy, and consumer safety
Risk-based regulation, evidence-based decision-making, and adoption of international standards on risk management, threat intelligence, and security controls are foundational knowledge sources of requirement building of the strategy and plan.
The strategic action is directly associated with a “Just-in-Time acquisition of materials and people of cyber security operation. The NCERT is at the forefront of technical support for the cybersecurity function, and in cyber threat monitoring and alerting
Training regulation requirements are directly linked to the achievement of statutory goals and execution of regulatory objectives on cybersecurity and data privacy. It gives attention to the prevailing competency framework and content of the cybersecurity knowledge ecosystem.
Cyberdrill is a must scheduled event to bring awareness and test the capability and capacity of users and technical teams to respond and recover from security incidents considered as cybercrime and data privacy violations.
Cybersecurity incident response playbooks are developed, published, tested, and improved to ensure the whole of the organization or government awareness and resolute action against threat agents that exploit security vulnerabilities in the critical information infrastructure of digital technology-enabled services.
jmlogic: Knowledge & Technology 