Planning, Programming, And Budgeting
The information security program management (ISPM) is a very important process as it provides oversight for the balance between compliance, security, and resources (Rogers, 2018). The company CIO, Erwin Carrington is responsible for the development, maintenance, and approval of the plan. The ISPM also states the responsibilities and roles of all individuals who have access to the related systems. There are three main portions to the ISPM, planning, programming, and budgeting. There are for basic strategies that support the goal of reducing the expected cost of cyber attacks (Davis et al., 2016, p. xx). These four strategies are: minimize exposure, neutralize attacks, increase resilience, and accelerate recovery. This paper will identify 5 risks that require a financial investment and discuss the applicability of one selected strategy.
Restarting the SETA program
Red Clay Renovations CIO reported that the CISO is working to restart the companies’ security, education, training, and awareness (SETA) program. The risk of not having a cyber awareness-training requirement or strategy is risky as people are the biggest cybersecurity target. 95% of cybersecurity breaches are due to human error, this means a SETA program or process should be of the most importance (FraudWatch, 2019). The neutralize attack strategy strives to prevent as many attacks as possible and reduce the impact of the attack (Davis et al., 2016, p. xx). This strategy can be used to clarify exactly what needs to be planned. Neutralizing attacks that employees are highly susceptible to, like phishing and social engineering, allow for a basis of what needs to be done. To ensure that a SETA program is maintained and managed, it may be reasonable to establish a contract with a third party that privates the training annually. This would be considered a financial investment on people. This requires fewer technical controls.
Red Clay Renovations utilizes smart devices that can be accessed from a web application that doesn’t have any security beyond a username and password. This is a serious risk because these devices are installed into smart homes, with little security; these homes could be attacked easily. Utilizing the neutralize attacks strategy informs us that system management must reduce inherent risk (Davis et al., 2016, p. xx). To reduce the risks or neutralize possible attacks, we must remediate the installation process, and this can be done with official doctrine. This risk calls for a process investment. The investment could be a policy, followed by guidelines that enforce the security of smart devices and set standards for smart device security.
Smart Office IT Architecture
The Smart Office network architecture has a few issues. One of the issues is the inefficient sever location. The servers should be placed in a proper DMZ; instead, they are placed in the path of the network and the firewall. Neutralizing the chance of an attack will require a technology investment. The CISO should implement a proper DMZ or an application-proxy gateway. The application-proxy gateway places a firewall between the server and the network and the Internet. The network firewall serves as a proxy agent that acts as an intermediary between the two hosts (Scarfone, 2010, p. xx).
The second issue pertains to the wireless portion of the network. The architecture description gives little to no instruction on the connection methods of the wireless devices. The document only mentions that they are addressable to their IP address. This is a risk to the network as it may be possible for any device from inside or outside the network to attack resources. To neutralize the risk of attack, a financial process investment is called for. The development of this process would enforce guidelines for connecting to the network via wireless fidelity as well as how to ensure items are authorized.
While BYOD may save Red Clay Renovations money, it is a risk to the organization. BYOD policies allow devices that connect to the network regularly to leave the network and return. This offers the risk of malicious software being installed when the device connects to other networks. While contractors are not allowed to BYOD, regular employees are allowed to bring their devices provided the devices are required to perform their duties. This requires people and process investment. The people investment would include the training of employees who have the privilege of BYOD and instructing them of the required processes. The process investment would include the development of an authorization system for devices before they enter the facility. These together should make for a strong effort to neutralize attacks within the BYOD privileges.
Overall, the budgeting for cybersecurity can be made very simple. It is apparent that the cybersecurity team can never reach 100% security, so a strong IT security program with distinct goals can prevent unnecessary spending in regards to the budget. Most of the investments that Red Clay Renovations must consider are people and process investments. This saves the organization’s finances associated with responding to cyberattacks. Neutralizing attacks pertains preventing as many attacks as possible and reducing the impact of the attack (Davis et al., 2016, p. xx). This strategy allows for the organization to look at current security options and allows for the technology to be fortified. This strategy is very powerful if implemented properly.
Davis, J. S., Libicki, M. C., Johnson, S. E., Watson, M., Kumar, J., & Karode, A. (2016). A Framework for Programming and Budgeting for Cybersecurity. Santa Monica, CA: Rand Corporation.
FraudWatch. (2019, March 15). What is Cyber Security Awareness Training & Why is it so Important? Retrieved from https://fraudwatchinternational.com/security-awareness/what-is-cyber-security-awareness-training/
Rogers, B. (2018, December 12). Information Security Manager: Information Security Program Management. Retrieved from https://www.pluralsight.com/courses/infosec-manager-information-security-program-management
Scarfone, K. (2010). Guidelines on Firewalls and Firewall Policy: Revision 1. Retrieved from DIANE Publishing website: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf