Think Cybersecurity is just tech? Here’s why is Really About The Rules and Risks

Sample Content

Do you know that cybersecurity goes beyond firewalls, encryption or those endless updates that we always ignore? In fact, it’s about the know about the dos and don’ts in the digital world. This is the structure behind the scenes that dictates how we go about protecting whatever is worth protecting. And this is exactly where GRC comes in.

GRC? What is that?

Governance, Risk and Compliance.

Let me break it down.

1. Governance: These are Policies, procedures, and standards that guide an organization on how to manage cybersecurity. Think of governance as proactive.
2. Risk: These are the “what ifs.” Risk is basically saying “What do we lose when threats meet our vulnerabilities.” For example, a thief and a weak fence — what is at stake when the fence falls?
3. Compliance: These are ways we adhere to an already established rule (governance). Think of compliance as a reactive approach. In other words, it is playing by the rules.

Now, where does GRC fit into the bigger picture?

Let’s talk about the NIST Cybersecurity Framework(CSF).

The National Institute of Standards and Technology comprises of 5 steps to manage cybersecurity risks.

1.Identify 2. Protect 3. Detect 4. Respond 5. Recover

Identify.

In the identify Framework, we have the

• Asset management ID.AM
• Business Environmen ID.BE
• Governance ID.GV
• Risk Management Strategy ID.RM
• Supply Chain Risk Management ID.SC

The first step is to identify.

Imagine you own a jewelry store. To secure this business, you need to identify your most critical valuables (assets). You take inventory to all your gold, diamonds, customer records and so on.

Likewise, Cybersecurity is just the same. Your critical assets in this case are data, people, softwares, hardwares, telecommunications and facilities. Because without identifying your assets, how do you know what to protect?

Under the identify function, we have six components.

1. ID. AM-1: Physical devices and systems within the organization are inventoried
2. ID.AM-2: Software platforms and applications within the organization are inventoried
3. ID.AM-3: Organizational communication and data flows are mapped
4. ID.AM-4: External systems are cataloged
5. ID.AM-5: Resources are prioritized based on their classification, Criticality, and business value.
6. ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established.

How are these Policies interpreted? Let’s break this further.

1.Physical and Software Asset Inventory. (ID.AM-1 & ID.AM-2)

In practice:

All devices and software accessing your organization’s information must be accounted for. This is to ensure unauthorized access.

Assets should be managed well throughout their entire lifecycle – from acquisition to disposal.

Automating assets lifecycles with a well-maintained database is the most efficient approach. This is because automation reduces human errors.

Asset vulnerabilities are best addressed when grouped into six categories

Security investment should never exceed the value of the asset being protected. This is a cost-effective security decision.

2. Organization communications and data flows are mapped

Transmission equipment include your switches, routers, Intrusion Prevention System, Firewalls, and so on.

In practice:

The organization can provide you with a network diagram. You can also  ask the network engineers.

You must know where data is archived and processed. I.e: You should identify where data is stored, how long it is retained, and the systems or locations it is processed for proper security and compliance.

Identifying implemented technology such as NATing, encryption, e.t.c.  is essential for understanding data is flow.

4. External Sytems are catalogued

What about systems that are not inside your network, how do you go about it? For instance, Cloud.

Does your organization use a distributed database management system?

Do your branches, divisions or remote offices run servers that collect batch data then transfer it daily for central processing?

Is your organization spread across multiple locations nationally or internationally?

5. Resources are prioritized based on their classification, criticality and business value.

After identifying these assets, how do we prioritize them?

The criticality of network is determined by the type of data they store or process

Information assets must be assigned a value to ensure effective risk management

Service-level objectives are defined to help Coordinate the actions of internal departments and external service providers during events that threaten data confidentiality or system availability. This objective sets performance expectations to manage disruption effectively.

6. How do you differentiate these roles and responsibilities?

Finally, roles must be defined to ensure accountability.

Document, approve, and communicate roles and responsibilities for all employees. This helps to ensure accountability.

As part of supplier relationship governance, both parties must document, authorize, and communicate roles and responsibilities. This ensures clarity when working with external vendors.

Annual compliance reviews must be conducted to verify adherence to the terms outlined in agreements with external service providers. Regular reviews identify and address potential security risks.

Agreements with external service providers must include provisions granting the right to conduct annual security audits of their security architecture. This ensures providers maintain the required security standards over time.