Viii | Information Systems homework help

1. Explain the current state of critical infrastructure protection (CIP) in the United States. 3.2 Outline steps that an organization could use to create a new cybersecurity program or improve

an existing program. Required Unit Resources Chapter 18: Strategies for a Networked Nation In order to access the following resource, click the link below. For the following reading assignment, read Section 1 through 3 on pages 1–19. National Institute for Standards and Technology. (2018). Framework for improving critical infrastructure Unit Lesson Strategies for Protection Lewis (2020) underscores that “knowledge and skills are inadequate without a strategy to securing the nation’s CIKR at physical, cyber, and organizational levels” (p. 371). As we have seen throughout the course, the protection of critical infrastructure assets is not a trivial task. The national infrastructure protection plan’s (NIPP, 2013) purpose is to: The NIPP’s success in achieving these goals necessitates an integrated approach and leveraging the resources, capabilities, and experience of the public and private agencies and stakeholders associated with critical infrastructure sectors. According to the NIPP (2013) “This requires efficient sharing of actionable and relevant information among partners to build situational awareness and enable effective risk-informed decision making” (p. 1). Lewis (2020) adds that such a strategy would prepare professionals throughout the affected areas with the capability and ability to respond quickly to any event in any area of the U.S. The following sections outline standards and security policies that are applicable to the protection of CIKRs. These are not intended to be a complete approach but rather a starting framework of resources and key elements for best practices of standards and policy. Standards Industry standards aim to describe and set best practices for achieving a particular activity (e.g., cybersecurity). Standards typically outline concepts, policies, safeguards, risk management, training, auditing, and management. The goal of standards is to adhere to a level of consistency across a particular industry or industries. As an example, the standard, ISO/IEC 27011:2013 specifies a systematic approach to handling

• Identify, deter, detect, disrupt, and prepare for threats and hazards to the nation’s critical infrastructure;
• Reduce vulnerabilities of critical assets, systems, and networks; and
• Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur.

UNIT VIII STUDY GUIDE

Standards and Security Policy CYB 4303, Critical Infrastructure Protection in Cybersecurity 2 UNIT x STUDY GUIDE Title and managing sensitive information for security purposes. The standard also establishes requirements for assessment, auditing, and risk mitigation procedures. Standards can be applied at a national or global setting. Standards do not follow any legal enforcement or mandate; however, standards are adopted based on market forces such as competitiveness, compliance, or certifications. Standards are developed with a framework in mind, serving as a blueprint for best practices but at the discretion of infrastructure and sector operators (NIPP, 2013). Figure 1 depicts a cybersecurity framework. In the United States and Europe, several agencies oversee the creation and management of guidelines and standards. As an example, in the United States, the National Institute of Standards and Technology (NIST) oversees the creation, publication, and maintenance of guidelines and standards. Additional agencies include the International Organization for Standardization (ISO), the Internet Engineering Task Force (IETF), the International Telecommunication Union (ITU), and the Information Technology International Library (ITIL) among others. There are other industry-specific bodies that specialize in a specific need such as the Payment Card Industry Data Security Standard or PCI DSS, which aims to increase security around cardholders’ information to reduce fraud or exposure of sensitive data. As previously noted, there is no legal enforcement of standards, but there are multiple market forces at play incentivizing companies to follow best practice guidelines and standards. Companies would have public relations disasters if they did not follow recommended guidelines and standards and then had a security breach. Moreover, standardization facilitates access to different markets. When a given organization adheres to requirements of a specific standard, it is considered compliant making it easier to do business in other regions or markets. It is worth mentioning that global market standards may become part of regulatory laws, even though standards do not have any explicit legal mandate for enforcement. Thus, not following a standard that is part of a regulation may create a legal quandary. In the context of information technology and cybersecurity, there are many national and international law agreements that must be followed, based on a number of standards. As an example, the EU General Data Protection Regulation (GDPR) was implemented in May 2018 for the Figure 1. NIST cybersecurity framework (Adapted from NIST, 2018, p. 14) CYB 4303, Critical Infrastructure Protection in Cybersecurity 3 UNIT x STUDY GUIDE Title protection of personal identifiable information across Europe and the world for those companies wishing to do business with EU residents (GDPR, n.d.). NIST Special Publications (SP) Unlike guidelines, standards are actionable, meaning that standards outline specific ways to carry out a function or procedure. In the United States, the National Institute of Standards and Technology (NIST) is a well-known organization that develops and maintains standards. The NIST publishes standards in the form of special publications often referred as SPs. Special publications are publically available at: http://csrc.nist.gov/publications/PubsSPs.html These publications have been available for some time and are continuously reviewed and edited by government and industry professionals. From a security perspective, some of the most notable special publications are:

• SP 800-12, An Introduction to Information Security
• SP 800-18, Guide for Developing Security Plans for Federal Information Systems
• SP 800-30, Guide for Conducting Risk Assessments
• SP 800-35, Guide to Information Technology Security Services
• SP 800-41, Guidelines on Firewalls and Firewall Policy
• SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• SP 800-47, Security Guide for Interconnecting Information Technology Systems
• SP 800-184, Guide for Cybersecurity Event Recovery

International Organization for Standardization (ISO) Another well-known organization is the International Organization for Standardization (ISO). The ISO is an independent international organization based in Geneva, Switzerland. The ISO voluntarily develops and publishes its international standards across many industries to enable the unification and coordination of recommended and best practices around the world (International Organization for Standardization, n.d.). The main goal of ISO standards is to facilitate international trade. The ISO has developed and published more than 22,000 standards ranging from technology to manufacturing (International Organization for Standardization, n.d.). Security Policy Policies are described as the rights, responsibilities, and consequences of a given behavior. One example is that most educational institutions have academic policies to describe for students what is acceptable and what is not. A university academic policy might state, “A student shall not claim that he/she wrote a document when that document was written by someone else.” Organizations also have policies in place. As an example, companies have acceptable IT-use policies outlining the proper use of company IT equipment for employees. Government agencies use a similar policy approach to ensure uniformity in confidentiality of important government information. Federal laws follow security policy models. A security policy model is a set of policies. These models are really collections of rules that newly enacted policies must follow. These security policy models follow certain characteristics to be successful, but they must be contextual to the organization. Bryson (2017) detailed that policies, procedures, and standards are used within an organization to:

• resolve a persistent organizational problem,
• provide a framework and guidance to individuals to assist in decision-making,
• ensure consistency across the organization in the approach used,
• declare a change or intention to be followed on a new process or issue,
• solidify and clarify organizational values or intentions,
• follow a commitment, and
• grant entitlements or rights.

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4 UNIT x STUDY GUIDE Title Likewise, policy statements extend to public agencies in general. As an example, the following important federal laws contain important security policies:

• Presidential Policy Directive-20: U.S. Cyber Operations Policy,
• Presidential Policy Directive-21: Critical Infrastructure Security and Resilience,
• the Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999 (GLBA Safeguards Act), and
• the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Security policies also provide a framework for best operational practices, so that organizations minimize risk and respond effectively to any security incidents that may occur. Security policies help ensure that the organization and agencies comply with government legislation and local, state, federal, and international regulatory laws. Within the context of CIKRs, policy and awareness is tightly coupled with computer security. Often the human element is the one factor that is the weakest link in security. According to Nieles, Dempsey, and Pillitteri (2017): The purpose of information security awareness, training, and education is to enhance security by: (i) raising awareness of the need to protect system resources; (ii) developing skills and knowledge so system users can perform their jobs more securely; and (iii) building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems. The organization is responsible for making sure that managers and users are aware of the security risks associated with their activities and that organizational personnel are adequately trained to carry out their information security-related duties and responsibilities. (p. 60) Policy Formulation and Evaluation From a homeland security perspective, the purpose of a security policy is to ensure security and reliability when it comes to information technology environments and have a policy that applies to people, controls, and operations. The principles of policy enactment, application, and enforcement are to guarantee the security of information, data, equipment, and networks, proper placement of information, and the feasibility and effectiveness of operations of information security. Organizational management must perform policy program evaluations in fulfilling its fiduciary obligations, especially if mandated by regulation (Bryson, 2017). Organizations must enforce the adherence of company policies by employees, measure policy efficiency, and identify organizational maturity levels for policy to be effective (Bryson, 2017). Policy evaluation and application methods must be relevant to each CIKR’s organization or agency. Companies and agencies must evaluate security policies to ensure compliance of relevant information security policies and operations with the organization or agency’s strategies and governance. Bryson (2017) reminds us that in many cases, regulatory compliance and standards are part of policy formulation, enactment, and evaluation. Summary Standards and security policies are paramount to critical infrastructure key resources’ (CIKRs) security. To ensure the proper protection of CIKRs in the private and public sectors, companies and agencies must adapt best security practices in the form of guidelines and standards across all sectors. Organizations and federal agencies are responsible for implementing security guidelines and standards to achieve proper alignment of security goals across all relevant sectors. These security strategies include tools, personnel, processes, and clear organizational structures, roles and responsibilities, and mechanisms to review and assess performance of security procedures and means to recognize any required course corrections.

CORE CONCEPT

Computer security is a concoction of science, technology, engineering, and human factors. A secure system is only as strong as the weakest link; each factor must be secured, using multiple layers to provide defense in depth. CYB 4303, Critical Infrastructure Protection in Cybersecurity 5 UNIT x STUDY GUIDE Title

References

Bryson, J. (2017). Managing information services: A sustainable approach. https://ebookcentral.proquest.com/lib/columbiasouthern/detail.action?docID=684506 EU General Data Protection Regulation [GDPR]. (n.d.). GDPR FAQs. https://eugdpr.org/the-regulation/gdpr- faqs/ International Organization for Standardization. (2016). About ISO. http://www.iso.org/iso/home/about.htm Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd ed.). Wiley. Nieles, M., Dempsey, K. and Pillitteri, V. Y. (2017). An introduction to information security. NIST Special Publication 800-12 (Revision 1). doi: https://doi.org/10.6028/NIST.SP.800-12r1 NIPP. (2013). Partnering for Critical Infrastructure Security and Resilience. Cybersecurity & Infrastructure NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity.