Almost every day, there is news about a cyberattack against a computer network or major computer system. The response to these attacks’ inevitability leads to cybersecurity. The emphasis is then on the need for a cybersecurity plan and the long list of things that the organization should have done or needs to do to protect itself. The question is then, what is a cybersecurity plan?
The first point is that a cybersecurity plan which is focused only on cybersecurity will not help. A second issue is that not many agree on where cybersecurity begins or ends or what it consists of. What is required is system security, with cybersecurity controls embedded in the system security controls. The difference is the focus; cybersecurity looks at data security, access control, system monitoring, etc.; system security includes these cybersecurity controls and user training and education, risk management, physical security, and other system-wide security aspects. The point is that system security is an all-hazards approach to security, with the emphasis on the integration and synchronization of different security areas into a single plan. An example of the need for this holistic approach is that 90% of successful cyberattacks are through email, and the most successful means of combatting this is through training. System security success is then the result of doing many things successfully.
As the requirements for system security grow due to the increasing threats, there is a corresponding requirement for businesses to protect their systems by establishing system security plans and implementing these best practices. There are many system security plan outlines, and depending on the industry, there are specific industry standards. An example of a system security plan template is the SANS Institute, the SANS Security Policy Templates. The system security plan template for federal and non-federal systems is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 for federal systems and NIST SP 800-171 for commercial or non-federal systems. The NIST standards are used to frame the requirements for the Health Insurance Portability and Accountability Act (HIPAA), the Department of Homeland Security – System Security Plan, and other federal security requirements. In addition, there is the International Organization for Standardization (ISO) Standards. The most common is ISO 9001, which is a quality management process, and there is ISO 27001, which is an information security standard.
In broad terms, cybersecurity or system security should not be considered a single-purpose effort, with only one benefit meeting a certification requirement. The reality is that all businesses need to protect their information and information systems. When followed, any of the system security plan examples listed here will provide adequate security. All of these plans are designed to ensure three aspects of system security: availability meaning the system and its information is available to appropriate users when it is needed; the integrity of information the assurance the information has not changed; and the confidentiality of the information, the information has not been released.
A key goal in developing any system security plan is to meet adequate security requirements. There are three general concepts that frame adequate security. First is the acknowledgment that there is no such thing as perfect security. This means that it is impossible to be perfect and prevent all breaches or compromises. Second adequate security is proportional to the value of the information, meaning the cost and effort that addresses security should be equal to the risk of a breach or compromise. Last, the plan should follow the best practices for the organization, which generally means using the industry-specific system security plan, which is often a business requirement.
Scrape away the technical and administrative requirements, and it is management buy-in and support that are the most important elements in developing a system security plan. Meeting many of these requirements will often require business process engineering. All system security plans require institutionalization, which requires labor and system upgrade budgets. These tasks require direct management involvement and the sustainment of company resources over the life of the organization. The requirement is for system security, not only cybersecurity; the means to that end is through a holistic approach supported by the management throughout the organization.