Cybersecurity Policy Framework 1 of 3
A Framework is used in Information Technology to define anything at a high level as opposed to a template that defines something specific at a low level. You use Frameworks to reduce the level of effort needed to accomplish some goal. Programming Frameworks for example are used to reduce the programming effort needed to build some software. A Template on the other hand is usually written in a particular programming language that has common elements and code that are typically needed and also to reduce the effort needed in writing software.
This article is the first of three articles that describe a Cybersecurity Policy Framework that can be actively designed using industry best-practices. By using an Enterprise Architect to develop this framework your enterprise will reduce the effort to achieve the Cybersecurity goals of the Enterprise while conforming to the laws, policies and implementation guidelines of the Philippines. The use of an architect and staff experienced in the use of various productivity and collaboration tools that can be woven together using multi-factor analysis linked through the enterprise’s active directory will allow you to seamlessly implement these guidelines while increasing productivity.
Ion Modern Workplace has experience in all of this with some of the largest corporations in the Philippines and can assist you in your efforts.
Why have a National Cybersecurity Policy Framework
It is becoming commonplace to hear or read about some Cybersecurity breach and loss of data or identity theft or any number of other Cybersecurity threats. To say that a National Cybersecurity Policy and laws and implementation guidelines is needed is surely an understatement. Thankfully the Philippine Government has passed Data Privacy Laws and published implementation guidelines to address these problems.
Microsoft has said, “The value of good cybersecurity law is not abstract. Research on a number of potential configurations of cyberspace in 2025 shows that policy decisions, notably in areas broadly defined as ‘cybersecurity policy’, can have significant ‘real world’ effects.”
The need for a National Cybersecurity Framework of Laws and Policies must be balanced between the risks and benefits. Too harsh and Cyber Threats may be mitigated at the expense of lower productivity and higher costs. Inadequate Laws and Policies might reduce up-front costs to implement but opens the door to Cyber Threats that themselves carry costs. The right balance is therefore needed and that comes from collaboration with the Government and industry. Where these points of contention meet is the very place thought leadership becomes crucial, and best-practices are developed. Ion is actively involved in that effort.
Here in the Philippines a Data Privacy Law and its Implementation guidelines are well known and published with stiff fines for those corporations that are not compliant. This is just part of an overall Cybersecurity Framework that you as an Enterprise Architect must be aware of to reduce your risks both for Compliance violations and Cyber Threats.
Microsoft is dealing with this very thing worldwide: “For example, whereas privacy laws in many countries are now captured in a single, comprehensive statute, supported by a specific agency empowered to enforce the laws and raise national standards, cybersecurity regulations are often heavily-fragmented and, in some cases, key principles are yet to be addressed at all.”
Cybersecurity is certainly a broad spectrum of both threats and solutions from Data Privacy, to Encryption to Infrastructure and Intrusion prevention to Detection and Operations Control. None of these areas are new to Ion and none of these are available from a single vendor.
It is against this backdrop that Microsoft has developed this Cybersecurity Policy Framework. As a global technology company, Microsoft has been at the heart of discussions about Cybersecurity between industry and governments around the world for many years. We have observed and been involved in the development of best practices in Cybersecurity regulation, from outcomes-focused approaches to cyber-crime laws to implementation of security baselines for critical infrastructures.
Cloud vs. On Premise
There are many that even today believe that on premise data centers and systems are more secure than the cloud. With the plethora of cloud service providers from Digital Ocean and Amazon to Microsoft Azure the reality is that Cloud computing is FAR more secure than on premise.
Cloud data centers are virtually impenetrable with the latest in security both physical and Cyber. The access is tightly-controlled and the technicians do not even know what software is running where and any access is controlled and tracked to the point that any individual will not be capable of specific intrusion, theft or sabotage. On premise, however, the possible attack vendors multiply. From disgruntled employees, to carelessness, from improperly maintained active directories, to sloppy vendor management. Each of these potential elements make it infinitely more difficult and expensive to manage your security while maintaining productivity. It is certainly possible to secure an on-premise data center, if you can afford it, while the Cloud data centers are already using the very best in security. A key element of thought leadership is in developing a framework that can shift some workloads to the cloud while maintaining data-sovereignty and compliance with governmental regulations.
Cloud is more secure for the following typical capabilities:
- Cyber Defense Operations Center – A state of the Art Facility staffed 24/7 with experts in Cybersecurity and operations people to support all the systems in the Data Center
- Digital Crimes Unit – The detection, prediction and monitoring of known threats and cooperation with National and International Law Enforcement agencies means there should be no surprises of emerging threats.
- Most Cloud Vendors such as Microsoft Azure also have a Global Center for Cybersecurity for Strategy and Diplomacy – partnering with Governments and industry vendors of Cybersecurity products and services.
In this article we introduced the concept of a Cybersecurity Framework and how Governments and Enterprises can benefit from them and some of the highest levels of Cybersecurity elements. We also touched on the possibility of using cloud when possible, leveraging the investment someone else is using on Cybersecurity.
Ion Management will publish future articles on more details of Cybersecurity, including Cybersecurity Framework, Philippine laws, policies and implementation guidelines.
Microsoft cybersecurity policy: www.microsoft.com/en-us/cybersecurity
A Cloud for Global Good: news.microsoft.com/cloudforgood/
Microsoft Trust Center: microsoft.com/en-us/trustcenter/
About the Author
Michael Oliver, SOACA and Chief Enterprise Architect for Ion Management