In a speech on May 29th, 2009, President Barack Obama presented digital infrastructure protection planning that is hoped to assist the United States in ensuring future cyber security while maintaining net neutrality.
Obama’s plan for the nation largely mimics cybersecurity planning that one would see in SME cybersecurity planning; appoint policy officials, prepare incident response planning, support cybersecurity awareness and education initiatives, designate cybersecurity as a priority and establish performance metrics.
President Obama expressed that 21st century economic prosperity will be dependent on cybersecurity.
It is refreshing to see that Obama has begun to address cybersecurity with an understanding that the internet should remain open and free. The President stressed that the U.S. will protect personal privacy without invasion – a balance that is integral to information technology risk management.
Human threat sources that can pose substantial risk of harm to any information technology system can include:
- Hackers, crackers engaged in hacking, social engineering, system intrusion, break-ins, unauthorized system access
- Computer criminals involved in computer crimes (ie. Cyber stalking), fraudulent acts (ie. Replay, impersonation, interception), spoofing, system intrusion
- Terrorists committing acts like bombing, terrorism, information warfare, system attack (ie. Distributed denial of service), system penetration, system tampering
- Industrial espionage (ie. Companies, foreign governments, other government interests) which can include economic exploitation, information theft, intrusion on personal privacy, social engineering, system penetration, unauthorized system access (ie. Access to classified, proprietary, and/or technology-related information)
- Insiders (ie. Poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees) who may commit assault on an employee, blackmail, browsing of proprietary information, computer abuse, fraud and theft, information bribery, corruption of data, interception, malicious coding (ie. Virus, logic bomb, Trojan horse), sale of personal information, system bugs, system intrusion, system sabotage, unauthorized system access
For organizations involved in e-commerce, or for organizations that use the internet as a means to transfer proprietary information internally or externally, the risks of online threats can be mitigated and leveraged with cyber liability insurance and regular IT auditing to explore IT-related risk management hotspots within the organization.
The University of Virginia is a great example of information technology risk management at work. The University hosts and makes public an extensive library of security and data protection policies, topics and standards that guide its community’s security and data protection, responsible use, copyright policy, procedures, information flow, monitoring and standards. The University’s IT Security Risk Management Program offers guidance on their risk management process that can be adapted and applied for use by SMEs.
Step 1: IT Mission Impact Analysis:
- Determine your critical assets (ie. Hardware, software, information, and people)
Step 2: IT Risk Assessment:
- Assess security practices against audit, state and federal standards
- Map your critical assets identified in Step 1 to threat scenarios
- Assign weight to each threat based on the likelihood of it occuring and the impact of any vulnerability
- Prioritize the threats you face
- Map these threats back to response strategies
- Create (or update) security planning for mitigating and/or accepting the identified risks
- Take into account previously implemented strategies and existing plans
- Document your key decisions and justifications
Step 3: IT Mission Continuity Planning
- Create (or update) a response plan for you to use in the event that critical IT assets are lost, unavailable, corrupted or disclosed
- Test your plan
Step 4: Evaluation and Reassessment
- Repeat Steps 1-3 every three years or when there are significant changes to departmental IT assets or to the risk environment
- Review the success of your prior analysis, testing, and responses made. Review should occur whether they were corrective, preventative, or post-incident actions
- Incorporate responses to any intervening changes (ie. New operations systems, critical applications or data, or state and federal standard)