Cybersecurity Policy Framework 2 of 3
As we discussed in the previous article, Cybersecurity Policy is developed by Governments for implementation of Enterprises within their domain. The Ennterprise Architects and Management need to be compliant with the resulting laws, policies and implementation guidelines. Ion Management has experience in these Cybersecurity elements and applies them as part of our Modern Workplace. This article continues the discussion with key Concepts in Cybersecurity Policy and how they should be considered in your Enterprise Cybersecurity implementation.
Key Concepts in Cybersecurity Policy
Although there is as yet no formal Cybersecurity Glossary of common terms we will attempt to provide the following terms as a common language for our discussion. These definitions are not intended to be comprehensive, nor are they intended to form the basis of any legal or regulatory definition. Instead, they provide high-level assistance in understanding the key concepts as they are now widely understood, ahead of them being explored in more detail later in this Cybersecurity Policy Framework.
- Cybersecurity - The protection of connected systems and networks, and the data stored on those systems and transferred via those networks, from attack, damage or unauthorized access
- Cybersecurity norms - Agreed expected outcomes for the Enterprise Cybersecurity initiatives at an international level - e.g., the need for states to cooperate in preventing international cyber-crime.
- Critical Infrastructure - Systems and assets, whether physical or virtual, so vital to the country or Enterprise that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
- Information Security - Protecting information from unauthorized access, use, disclosure, disruption, modification or destruction.
- Security Baseline - The minimum-security standards and expected outcomes required for information security systems.
- Information Assurance - The steps involved in ensuring information security.
- International Standards - Typically refers to international security standards, such as ISO/ IEC standards, against which organizations can measure their security practices. These are all under development now with those standards bodies.
- Critical Information Infrastructure - Information and communication systems forming part of CI (see above) whose maintenance, reliability and safety are essential for the proper functioning of the CI and/or the country as a whole.
- Security Controls - Specified measures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
These concepts should all fall into a comprehensive design and plan that will not only ensure compliance with Philippine law, policy and implementation guidelines but leverage the available technologies and best practices.
For example, all too often we have seen enterprises take steps to secure the perimeter of their on premise data centers with Firewalls from a single vendor and fail to secure the applications, data or even the access controls. This false sense of security is not only insufficient related to compliance with Cybersecurity laws but is potentially even more dangerous because it leads to complacency.
Sometimes the cost of doing a comprehensive design and implementation plan is considered too high and shortcuts are taken such as going out for bid on individual elements instead of an Enterprise Architectural Method. The disparate technologies can lead to gaps that can be exploited and often are well within the target realm of hackers because they run into those same gaps over and over again.
In Management is well versed in the Cybersecurity Policy Concepts and Philippine law, policy and implementation guidelines and can give you a gap free Enterprise Architecture for your Cybersecurity implementation.
By Michael Oliver, SOACA Chief Enterprise Architect, Ion Management
Microsoft cyber-security policy: www.microsoft.com/en-us/cybersecurity
A Cloud for Global Good: news.microsoft.com/cloudforgood/
Microsoft Trust Center: microsoft.com/en-us/trustcenter/