It all starts with a plan. Cybersecurity Program Management Plans are essential. If a Cybersecurity Program Plan is not developed, documented, and effectively communicated to all appropriate stakeholders, you may run the risk of losing focus on necessary key components that make up a complete, comprehensive cybersecurity program. An effective plan should contain information about the controls adopted by your organization, and it should be the basis for how your cybersecurity program is implemented. Keep in mind that the plan will require ongoing maintenance, as well as management support, to facilitate continuous improvement.
When developing your plan, avoid making it too complex. Not only will an overly complex plan requires unnecessary time to complete, but it is also likely to be ineffective if it is difficult for people to understand. The Cybersecurity Program Plan should be appropriate for the size and complexity of your organization. It should be scoped based on your organization’s mission, objectives, stakeholders, and business activities. Once finished, you should ensure that the plan is disseminated to all appropriate personnel to provide insight into the requirements of the cybersecurity program.
Be sure to assign someone the responsibility of maintaining the Cybersecurity Program Plan. This maintenance includes performing regular reviews (e.g., at least annually) and making appropriate updates after each review. Stale documentation is the worst enemy of an audit, exam, or assessment, so you need to ensure all cybersecurity program documentation is regularly reviewed and kept current. Events that serve as catalysts for updates may include assessment or audit findings, lessons learned from cybersecurity incidents or data breaches, or changes to laws, regulations, or other guidance that impacts the requirements of your cybersecurity program. Any material changes made to the plan during the review and update process should be communicated to personnel.
Do not wait until your Cybersecurity Program Plan is perfect before you begin to implement it and communicate control requirements. If you wait until you have a “perfect” plan, you may never finish it. Your plan is expected to be a living document that will mature over time as incremental improvements are made to best suit the evolving needs of your organization.
Many organizations have found success with implementing a Cybersecurity Program Management Policy that also serves as the Cybersecurity Program Plan. This makes sense as the policy itself is intended to identify the requirements needed to implement and maintain an effective plan. Why maintain two documents with the same details? As long as the policy includes all the appropriate details needed for your cybersecurity plan, this can be an effective way to achieve two goals with one well written document.
A comprehensive plan should include elements for cybersecurity tools and technologies. Appropriate personnel should have the assigned responsibilities to identify, measure, mitigate, monitor, and report cybersecurity related risks in accordance with program requirements. When planning for cybersecurity controls, keep in mind that implementing cybersecurity tools and technologies is only one component of a comprehensive security program. You can have cybersecurity tools and technologies in place without having a complete cybersecurity program. However, you cannot have a complete cybersecurity program in place without appropriate cybersecurity tools and technologies.
Your program should be integrated into your organization’s cross-functional business units and support functions. An integrated program provides the ability to assign control ownership to cross-functional stakeholders. It is important that the entire organization understands that the cybersecurity program is not something that is the sole responsibility of the “security team.” Similarly, it is not just an “IT” problem. An effective cybersecurity program requires participation from the entire organization.
Defining the appropriate scope for your cybersecurity program is a critical component of achieving and maintaining compliance. In general, you program should be implemented consistently across the entire organization. However, defining the scope of your program goes well beyond determining which parts of the organization are “in scope.” Cybersecurity program scope definition includes determining if each control contained in the control framework that is applicable to your organization. For example, software development or secure coding controls would likely be out of scope for an organization that does not develop software or application code for any internal purpose of external use.
When defining the scope of your cybersecurity program using a prescribed set of controls such as ISO 27001, PCI, HIPAA, NIST SP 800-171, or other control framework, you should review each control to determine its individual and relative applicability. This may seem like a daunting task, but it can be a relatively quick exercise. You should have two groups of controls at the end of the review, one large group of controls that are clearly applicable to your organization, and a smaller set of controls that have been deemed to be not applicable. As you make these applicability determinations, keep in mind that you will need to document the rationale for every control that is deemed to be not applicable. This rationale will need to withstand auditor, assessor, or examiner scrutiny, but if there is a legitimate reason that a particular control does not apply to your organization, it can be removed from your internal set of cybersecurity controls.
The scope of your cybersecurity program is also influenced by the context of your organization. What does your organization do for a living? What core or critical components are included within your product and services offerings? There are obvious answers to these questions, but the organization’s mission, objectives, stakeholders, and business activities need to be understood and prioritized to help define the context of your organization. This information is also critical to ensure appropriate decisions are made regarding cybersecurity program roles, responsibilities, control requirements, goals, and objectives.
The context of your organization may also be driven by the needs and expectations of interested parties (e.g., customers, regulators, auditors, etc.) that introduce legal, regulatory, or contractual requirements. These details will also influence the scope of controls contained within your overall cybersecurity program. The context of the organization, including interested parties and expectations, along with the cybersecurity program scope, should be documented and available for review or reference whenever needed.
Documentation should be updated regularly to reflect changes in the internal and external operational environments. Changing requirements should be communicated to management and other applicable stakeholders as soon as possible and promptly addressed. Changes to the context of the organization could have a negative impact to existing security controls and frameworks by reallocating or removing resources that once supported in-scope controls or by resources inheriting new responsibilities for which established controls have not been defined. As a result, it is important to revisit the context of your organization and scope of the cybersecurity program when changes occur to ensure that in-place controls remain appropriate.
The implementation and management of cybersecurity program controls should be centrally managed within your organization. This helps to ensure that controls are implemented consistently across varying cross-functional business units. Centralized management also provides leadership with the ability to view the status of control implementation for the organization from a single source. Further, centrally managing controls may help support independence requirements as part of your organization’s continuous monitoring efforts.
Automated tools can improve the accuracy of monitoring controls and associated processes. There are automation tools available that can provide data aggregation and correlation capabilities, along with real-time compliance status dashboards to support risk-based decision making within your organization.
Control baselines for cybersecurity are predefined sets of controls that are specifically designed to address the cybersecurity needs of an organization. Controls should be selected to satisfy requirements that are mandated by laws, regulations, directives, and other guidance as well as to address common cybersecurity threats. Control baselines represent a starting point for protecting information assets based on your organization’s mission, business operations, and other potential constraints. If you do not have a single official who is responsible for your overall cybersecurity program, you may want to include cross-functional stakeholders from across your organization in the selection and approval of baseline controls.
Occasionally, it may be appropriate to tailor defined baseline controls to meet the specific needs of your organization. The tailoring of controls supports the development of cybersecurity plans that reflect the specific mission and business operations of your organization. Tailoring baseline controls can be accomplished by applying scoping considerations, identifying compensating controls, assigning values to control parameters (e.g., frequency), supplementing baseline controls with control enhancements when needed, and providing information specific to the manner in which controls are implemented.
If you are considering creating a cybersecurity plan for your organization, our vCISO offering takes a holistic view of cybersecurity allowing you to assess your risks and determine the appropriate mitigation strategies for your business.