Impact Analysis – Prevention and Response Strategies

Impact Analysis – Prevention and Response Strategies

Negotiations with Accrediting Bodies

One of the most important parts of compliance certification is negotiating with the auditors or accrediting bodies. The organization needs to approach the negotiations in a way that is open and well-documented. If an organization is serious about compliance, it should disclose everything it does to secure its system, where it is vulnerable, and its compensating controls so that everyone knows what it is working with. This practice can help to make trusting the system easier. From an auditing perspective, auditors can make better judgment calls about the organizations they trust.

Documentation must also be thorough, with evidence of risk assessments—noting potential threat actors, risk and severity, design and objective, security policy, incident response plan, evidence of implemented controls, and other documentation. Suggestions for mitigating controls can be another core strategy. These are especially helpful when corrective action is not possible until a vulnerability can first be fixed. Each control suggestion should be carefully explained, reported on, and tracked as completed. For example, a healthcare provider being visited for a HIPAA compliance audit might bargain with the auditor that, in compensation for physical security protections woefully absent in part of the healthcare operation, advanced encryption protections exist to keep patient data safe.

Response Strategies

Organizations have to develop robust security incident response strategies to mitigate the aftermath of such events. Prominent response strategies include breach notification policies and incident response plans (IRP). A breach notification policy specifies the protocols on how to notify the affected parties, governmental agencies, or any other stakeholders when a data breach has occurred to minimize the damage and promote trust. On the other hand, the IRP outlines the procedures to take place during and after a security incident, including personnel roles, responsibilities, communication plans, and how to contain, eliminate, and recover from malicious actions (Gordon et al., 2020).

Employee Training Recommendations

Awareness and discipline regarding security measures can be created and maintained by training workers. It is especially important to train employees on cybersecurity awareness. Notably, the current popular attack vectors are well-known: common social engineering attacks like phishing, malware, ransomware, social networking, and cloud-based attacks. Training personnel to face these probes could mean the difference in warding off attacks. It would be prudent to conduct simulated attack exercises based on employee reaction; this could enable an organization to test its bandwidth for handling security breaches with employees and gain experience. Security policies and procedures must also be communicated clearly and made available for easy reference to all employees.

Obtaining Feedback from Stakeholders

Feedback from the stakeholders is important to evaluate the effectiveness of the security policy. The organization can send out surveys to ask employees, partners, and customers for their opinions on security measures. Regularly sending out surveys or questionnaires brings up any issues related to security measures. Feedback sessions or focus groups can sometimes be set up to allow for deeper discussion with stakeholders about their concerns and suggestions (Sommestad et al., 2014). For instance, a bank could conduct its worker and client surveys for online banking three times a year so that the feedback from these surveys could help improve its online security measures.

Identifying New Threats and Risk Management

Security is still an evolving landscape, which means organizations must understand and adapt to new and emerging threats regularly. Using threat intelligence services to stay up-to-date on new and emerging threats is key. Security assessments and penetration testing should be run on a regular basis to discover new vulnerabilities. A strong and effective recovery plan that includes strong backups of key systems means that one’s data can be recovered and backed up in case of an attack while one develops a plan to handle the attack (Shameli-Sendi et al., 2016).

Adapting to Threat Intelligence

Adapting to new threat intelligence includes the integration of feeds into security operations centers (SOCs) for real-time analysis of threats and vulnerabilities and developing an advanced level of structured reporting for all those who need to know. Communication channels should be organized to remind operational managers, other stakeholders, and affected staff of what the risk is, who is accountable for fixing it, and when (Ahmad et al., 2014).

Notification Methods for New Threat Intelligence

Operational managers can be provided with information about new threats and what to do about them via internal reporting and meetings. Reports and briefings can be sent to stakeholders via email or secure portals. Individuals affected can be informed via email alerts, SMS notifications, and hotlines. For example, if a bank learns of a vulnerability in its online banking service, it can send all its customers an immediate SMS, explaining what’s going on and what the bank is doing to fix the problem.

Responding Quickly to New Challenges

Effective management techniques to provide rapid response to new challenges include the use of agile methodologies and fluid cross-functional teams. Agile methodologies enable an organization to shift priorities quickly and integrate new security measures on the fly. On the other hand, a cross-functional team that is aligned in getting to the bottom of an incident and providing the countermeasures necessary to put the lid on it has the opportunity and capability to deliver in a quick and joined-up sweep.

The NIST Cybersecurity Framework

Within the NIST Cybersecurity Framework’s core of flexible and straightforward practices, five functional areas ground its approach to risk management: Identify, Protect, Detect, Respond, and Recover. It helps organizations create an inventory of ‘resources,’ which includes people, devices, and networks, develop an organizational understanding of ‘business needs and risk management strategy,’ identify ‘cybersecurity events,’ implement ‘policies and procedures,’ and maintain ‘resilience’ (Barrett, 2018). The framework follows the approach below:

1. Identify: Enables the development of an organizational understanding regarding which cybersecurity risks to systems, people, assets, data, and capabilities need to be managed. It includes identifying cybersecurity risks to organizational operations, assets, and people.
2. Protect: This function specifies the appropriate protections to be taken to provide the services of critical infrastructure. It supports the action of preventing or mitigating the consequences of a possible cyber-incident.
3. Detect: This function specifies the proper operations to be taken when identifying a cybersecurity incident. Constant monitoring powers are essential for enabling the detection of cybersecurity incidents.
4. Respond: This activity, in turn, includes activities that give a correct response to an identified cybersecurity event; that is, to provide an effective response and support recovery activities.
5. Recover: This function helps to determine the appropriate activities for maintaining plans for resilience and any capabilities or services that must be restored due to a cybersecurity event. It contributes to timely recovery to normal operations to minimize the impact of a cybersecurity event.

Business Continuity Plan

A business continuity plan (BCP) details how to keep essential business functions going during and after an event such as a disaster. Parts of a BCP include risk assessment, recovery strategies, plan development, and training and testing.

Risk Assessment determines what could go wrong and the impact it would have on the business. To get a handle on the disaster scenario, a company needs to identify what could go wrong. The next step—planning for continuity—involves understanding what is needed to keep in business when things do not go according to plan.

Next, Recovery Strategies deal with issues such as how to bring the business back online after a disruption. This includes backing up data, keeping an alternate operational facility, or taking the ‘manual’ approach to workflows.

Plan Development involves drawing up the business continuity plan in writing and includes details on who is responsible for which tasks, with enough detail to lead the institution through the recovery process but flexible enough to be adjusted as circumstances change.

Lastly, in Training and Testing, employee training and periodic testing of the BCP must be established and conducted to keep the identified plan up to date. The recognized roles and responsibilities of all employees during a disruption to the company’s operations must be known. Testing the plan in simulations or drills will help identify any gaps or weaknesses that need to be corrected (Wallace & Webber, 2017).

Conclusion

An effective resiliency and mitigation plan is one that has clear and transparent negotiations with accreditors, proper response measures, effective training of employees, collection mechanisms for feedback, sufficient intelligence on threats, new adaptations to intelligence, aggressive response to new threats, the NIST framework, and a proper business continuity plan. With such extreme measures, the security posture of an organization is sure to improve.

References

Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25, 357-370.

Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. In the NIST Cybersecurity Framework. https://doi.org/10.6028/nist.cswp.04162018

Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). Integrating cost-benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model. Journal of Cybersecurity, 6(1), tyaa005.

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14-30.

Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 22(1), 42-75.

Wallace, M., & Webber, L. (2017). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. Amacom.

a:link {text-decoration: none;}a:visited {text-decoration: none;
}a:hover {text-decoration: underline;} a:active {text-decoration: underline;}

We’ll write everything from scratch

---

Assessment Description

Prior to or when security measures fail, it is essential to have several response strategies in place. As a final part of the Impact Analysis, write a 1,350- to 1,500-word prevention and response plan that addresses the following:

• Auditors certify (accredit) an organization’s compliance. Often organizations will negotiate with the auditor for more favorable findings or to accept mitigating controls. Identify how negotiations with accreditors on compliance should be dealt with and provide an example.
• Describe appropriate response strategies that can be put into action (i.e., breach notification policies).
• Explain employee training recommendations for creating awareness of the organization’s security measures.
• Define how to obtain feedback on the effectiveness of security policies from stakeholders and provide an example.
• Describe how to identify new threats, vulnerabilities, and risk management (including backups and recovery), or any countermeasures that may not have been accounted for when the initial security measures were first implemented.
• Identify mechanisms to adapt to threat intelligence, which identifies new and overlooked vulnerabilities, threats, and countermeasures. Explain how this would be reported and communicated.
• Explain how operational managers, stakeholders, and/or individuals affected by new threat intelligence will be notified and provide examples for each notification method.
• Identify organization management techniques to respond quickly to new challenges.
• Define and apply the NIST cybersecurity Framework functional areas, implementation tiers, and profiles.
• Describe how to develop a business continuity plan to prevent and recover from failures in the system.

Last Completed Projects