Security Baselines and cyber risk management Current trends in Information Technology include a heightened emphasis on Cybersecurity and Data Privacy. Governments, Enterprises of all sizes, Infrastructure Suppliers and Consultants are all pouring money into risk management from Products to Policies, Laws and Regulations and Services. When looking at industry best practices, we try to look to established leaders in the field whenever possible. Microsoft is certainly one of the leaders in Cyber Security and Risk Management for the modern collaborative workplace.
They say, “In addition to advancing efforts to secure their own operations, governments are creating public policies to improve enterprise Cybersecurity . There are dozens of ongoing regional and national initiatives that aim to help enterprises manage operational Cybersecurity risks by developing or evolving “security baselines”. It is certainly true that the approach Governments take to develop security baselines will affect the policies, laws and regulations that enterprises MUST be aware of and implement to reduce risk and potential fines. Microsoft acknowledges this “Less effective approaches will create heavy operational and compliance costs without realizing the intended security benefits.” We at Ion believe that by using a combination of tools and an architecture and best practices focused approach, we can help enterprises meet security baselines while revolutionizing the way they do business. Our focus is on not only providing the tools and framework to secure your data and protect your customer’s information, but on increasing productivity at the same time.
Understanding Security Baselines Security baselines in general are a set of policies, activities, and practices that are designed to help management of Cybersecurity risks. Baselines should cover all risk management goals, such as protecting individual data privacy, to the risk of intrusion, corruption or intentional attacks from outside bad actors. Individual Enterprises may desire specific outcomes or address specific risks that are perhaps unique to their industry or individual enterprises. These may include Banks or other Financial Institutions or Airlines or Government Agencies or Departments, so no single specification will necessarily fit universally. However, as Microsoft says, “Our experience is that baselines that specify what organizations need to achieve (i.e., security outcomes), and do not specify exactly how organizations should implement security (i.e., security controls) are more effective and more likely to have significant, demonstrable impacts on the security of organizations over time. By developing baselines that focus on security outcomes, governments can advance the risk management processes, continuous improvement, and strategic investments that improve enterprises’ risk profiles.”
Adopting an outcomes-based approach to security baselines While baselines may secure common risk management outcomes and may be complimented by sector or industry specific requirements including security controls, governance, or even product and service providers with the requisite experience.
Microsoft addresses the Cross-Sector needs, “Additionally, many enterprises are horizontally integrated with enterprises from other sectors; similarly, governments utilize products and services from multiple sectors. These supplier relationships impact both the enterprises’ and government organizations’ ability to comply with regulatory requirements that extend to third parties. Cross-sector baselines therefore heighten the ability of governments and enterprises to assess and demonstrate compliance efficiently.”We at Ion Management have worked with many of the largest Philippine Corporations in several sectors to implement Cyber Security and as Microsoft Partners are fully trained in the Microsoft Cyber Security Framework and baselines and can assist you in your efforts.
Developing effective security baselines Leverage diverse expertise By utilizing and open collaborative, and iterative public policy development process that engages various stakeholders. Microsoft and Ion Management agree, “Through the sharing of experiences, perspectives, and ideas, governments are better positioned to develop baselines that enable improvements in how enterprises manage cybersecurity risk. Iterative processes with multiple chances and ample time for stakeholders to provide input on new draft policies are important. Government entities such as the European Commission, the European Network and Information Security”
Facilitate informed decision-making By bridging risk management understanding both within and between organizations. We already have experience with Philippine Government laws and implementation guidelines and can bring that knowledge and experience to bear on your Enterprise. Microsoft agrees, “Especially in an emerging field like Cybersecurity , there is a need to establish a “common language”—a common way of understanding and using terms and concepts. To do so, a single document or reference point, like a set of security baselines, must be meaningful for and usable by differently situated audiences, such as security practitioners and business executives.”
Manage Risk efficiently Through a risk based and prioritized set of baseline practices. By focusing on the desired risk management out-comes the common factors can be merged with the sector and industry specific requirements. Microsoft agrees and Ion Management fully supports the Microsoft Cybersecurity Framework. Microsoft says, “Risk-based approaches, grounded in an organization’s particular risk and threat landscape, enable organizations to prioritize and focus on security strategies and practices that are likely to have the greatest positive impact on their users.”
Enable Innovation Drive toward desired security outcomes rather than prescribe solutions. Ion Management does not show up on your door with a prescribed set of Cyber Security products or tools or canned solutions. We take the approach that you must adhere to the laws and regulations and implementation guidelines for your sector but that your requirements must be assessed fully and an Architecture Developed that efficiently manages your risks. We also understand that every investment must show a return. The best security is one that your employees and stakeholders will embrace because it makes their job easier and more efficient. Microsoft offers a number of products and services but recognizes the need for innovation as well, “Security baselines should be outcomes-focused, articulating what organizations should aim to achieve (e.g., “control logical access to critical resources”), rather than how organizations should implement security (e.g., “utilize two-factor authentication”), which enables government and industry to benefit from continuous security improvement.”
Best Practices Your Enterprise Architecture should include industry best practices rather than building from scratch. These include Governance, Technology, Process and Compliance. The Microsoft Security Framework is loaded with Best Practices.
“The Cybersecurity Framework, developed by stakeholders convened by the National Institute of Standards and Technology (NIST), is a leading best practice in cyber risk management. It exemplifies a risk-based, outcomes-focused approach that facilitates decision making by establishing a common language.”Support economic growth By realizing economic and security benefits efficiently you reduce risks and costs both for failing to comply with government laws, regulations and guidelines, but the risk of loss of data, integrity and reputation. The Microsoft view,
“Security baselines are not simply a solution to a technical security challenge. They are an opportunity to improve overall risk management and to support economic growth. Governments benefit from security baselines that are aligned to international best practices through better security outcomes and greater efficiencies. Domestic enterprises are able to grow and compete across jurisdictions while improving security. Consumers enjoy increased safety and consumer protection, lower costs, and wider consumer choice from a global marketplace and product innovations.”Conclusion We at Ion-Management support the Modern Workplace as well as the Microsoft Cyber Security Framework. This Blog will amplify the Modern Workplace and Cyber Security in future posts. We are available to assist you in your Cyber Security Risk Management. You may also read more at Ion-ModernWorkplace.com