How to determine, describe, document, and demonstrate the elements that compose the valid and verifiable cybersecurity strategy and plan in order to prevent, respond to, and recover from security incidents that are considered cybercrimes?
The desk research and product marketing assumptions of subject matter experts, that are associated with cybersecurity requirements, have to be affirmed at the ground level of work called security project and operation that implements the control safeguard and response effort against the cyber kill chain of vulnerability exploitation and cybercrime.
The organization of cybersecurity function in the government and private sector is a critical knowledge source for valid and verifiable policies, activities, and resources for safeguarding information confidentiality, process integrity, system availability, data privacy, user safety, and infrastructure resiliency of the digital technology-enabled services found by threat agents in the sovereign cyberspace.
Cybersecurity strategy formulation and planning are made meaningful when the content is made to report and attest conformity to the acceptable, actionable, and auditable user or consumer requirements that are derived from laws, regulations, standards, technologies, and incident reports of cybersecurity, information security, and data privacy.
The documented strategy and plan put into policy, directive, organization, and funded action the agreed principle, performance, and practice of setting up and maintaining the quality management system in cybersecurity, information security and data privacy in the government and business enterprise.
The development, enablement, and oversight of a cybersecurity strategy and plan is a governance deliverable in the government agency and business enterprise that are mandated to provide access to the cybersecurity function of controlling the security incidents that are considered cybercrime, a threat to consumer safety, and violation of data privacy.
The planned strategy to defend sovereign cyberspace is enabled by the integrated activities related to the foundational component of cybersecurity operation to support the realization of the mandated mission, vision, and goal.
1. Doctrine
2. Organization
3. Training
4. Materials
5. Leadership
6. Personnel
7. Fund
The quality of cybersecurity defense is identified, tested, and improved in the regular conduct of cyber drill. The understanding, decision, and action of both cyber attack and cyber security are demonstrated by the red team and blue team of cybersecurity operation.
A national cybersecurity plan is made valuable by its immediate impact on the commonly recognized capability and capacity requirements of the operating environment to commit and complete the delivery of security and privacy control and outcome.
Governance represents valid and verifiable assumptions and methodology to provide quality in strategy formulation and planning of the security requirements to make safe and resilient the critical information infrastructure that supports the digital technology-enabled services of value creation and a citizen or consumer relationship.
The governing body, top executive, and middle management of the organization document and communicate with clarity, coherence, and completeness the principles, performance, and practice to assure access of the whole of the organization to the “cybersecurity function.”
1. Identification
2. Protection
3. Detection
4. Respond
5. Recovery
(ISO 27110 – Cybersecurity Framework Development Guidelines)
The cybersecurity function is a framework adopted by governance to understand the control management requirements against cyber threats, or security incident in cyberspace that makes uncertain information confidentiality, process integrity, system availability, data privacy, consumer safety, and infrastructure resiliency.
An E.O. 605-2007 compliant government agency is by default an example of the use of ISO standards in determining the whole of the organization’s quality management in cybersecurity.
1. Security Governance – ISO 27014
2. Security Management – ISO 27001, ISO 27022, and ISO 27007
– ISO 270154
4. Security Controls – ISO 27002, ISO 27701, and ISO 27008
5. Data Privacy – ISO 29100
6. Cloud Computing Security and Privacy – ISO 27017 and ISO 27018
7. Security Incident Management – ISO 27035
8. Security Risk Management – ISO 27005 and ISO 29134
9. Security Business Continuity – ISO 27031
10. Security Competency – ISO 27021
11. Security in Supplier Relationship – ISO 27036
The appreciation and prioritization of results, schedule, activities, and resources to support the achievement of cybersecurity outcomes are made real by the organization’s clear and present knowledge of the cyber kill chain, cyber threat intelligence, security audited inventory of assets, and cybersecurity value stream and supply chain.
The planning and standard business unit of the responsible agency or enterprise on cybersecurity is a repository of knowledge artifacts to support understanding and decisions associated with the examination of threats, mitigation approaches, and security support ecosystem.
Critical competence to do first time right the strategy and planning of cybersecurity, that is acceptable, actionable, and auditable, is the cybersecurity or information security officer organization that assures the quality delivery of its authorized work objectives.
1. Protect-Shield-Defend-Prevent
2. Monitor-Hunt-Detect
3. Respond-Recover-Sustain
4. Govern-Manage-Comply-Educate-Manage Risk
(TECHNICAL NOTE CMU/SEI-2015-TN-007)
The cybersecurity strategy and plan are true to its intended value for enabling information security, data privacy, consumer safety, and infrastructure resiliency when it communicates simply, clearly, and reliably the following:
1. The status of cybersecurity control in the critical information infrastructure of sovereign cyberspace. Controls are based on adopted standards of existing rules, regulations, and agency policies.
2. The clear and present data on security incidents as monitored by, and reported to the NCERT and Cybercrime Prevention Agency
3. The investment data on the acquisition of cybersecurity risk control and competence management resources in the government agencies and service providers associated with critical information infrastructure.
4. The playbook of incident response, and of the cyber drill of cyberattack and cybersecurity
5. The “trust” listing of product and service providers in the country’s supply chain and value stream of cybersecurity and data privacy solutions
6. Training regulation on cybersecurity competence management to support quality knowledge and skills in the implementation of security and privacy control objectives of the cybersecurity strategy and plan.
The citizen or consumer trusts a publicly published cybersecurity strategy and plan that simply, clearly, and coherently determine, describe, document, and demonstrate the following question of understanding:
1. What is to be achieved, maintained, prevented, and eliminated in realizing citizen or consumer experience of secured cyberspace of digital technology-enabled services?
2. Who is accountable and responsible for implementing, maintaining, and overseeing cybersecurity functions in the organization related to the critical information infrastructure of sovereign cyberspace?
3. When is the “just-in-time” result delivery of prioritized action to mitigate evaluated cybersecurity risk by the incumbent authority?
The cybersecurity strategy and planning starts first time right with the competence to identify, analyze, map, and apply the associated local and international regulations, and international community-driven standards to build the customized “user story” of cybersecurity in the digital technology-enabled services of government agencies and business enterprises.
Cybersecurity strategy and plan are bound to fail in their safeguarding objectives when the pre-requisites for asset visibility, decision rights, evaluated risks, control standards, competence management, and supply chain are not made clear, coherent, complete, and consistent to compose the integrated requirements to support cybercrime prevention and data privacy in the sovereign space of creating value and relating to citizen or consumer.
The acceptability of a cybersecurity plan is indicated by its authorized funds to meet objectives
The actionability of a cybersecurity plan is indicated by available enabling resources for the acquisition requirement.
The auditability of a cybersecurity plan is indicated by its compliance with rules and regulations and adoption of known international standards of practice.
A national cybersecurity plan is a requirement in fulfilling the cybersecurity function to achieve the statutory goals and regulatory objectives associated with information confidentiality, process integrity, system availability, data privacy, consumer safety, and infrastructure resiliency of the digital technology-enabled services that are found in the sovereign cyberspace.
jmlogic: Knowledge & Technology 