Recently, a Government Accountability Office (GAO) report was written by Gregory Wilshusen, Director of Information Security Issues, and David A. Powner, Director of IT Management Issues, addressing a need to improve critical aspects of information security strategy necessary to mitigate unnecessary risk to federal and private sector IT cyber infrastructure.
As a benchmark exercise, we believe that this report offers basic guidelines that can be adapted to fit and benefit any organization.
For an example, we believe that you might “re-phrase” the improvements listed in the report summary as follows:
1. Develop a corporate strategy that clearly states its strategic objectives, goals and priorities for a company wide cyber security policy.
2. Establish management’s responsibility and accountability for leading and overseeing that corporate cyber security policy.
3. Establish a structure and plan for implementing such a policy.
4. Communicate the importance of and raise awareness to the seriousness of a cyber security problem to the organization.
5. Create a committee or team to be held accountable for the implementation of such a plan/policy in the organization.
6. Perform a business impact analysis on the organization aligned with the scope and intent of the cyber security plan.
7. Involve everyone in the organization as well as all vendors to the organization in such a plan.
8. Focus a study on the impact of cyberspace on the organization’s information security goals and objectives.
9. Raise an awareness on the current state vs. the desired state of information security relevant to cyber security and cyberspace risk levels.
10. Promote research and study on how to improve current levels of coordination between our organization and our supply chain of vendors.
11. Increase the organization’s cyber security skills sets both internally by hiring more cybersecurity professionals, and outsourcing similar skills where and when justified to do so.
12. Make your organization’s level of cyber security controls and management a benchmark for other companies to achieve.
Read this article about this GAO report on the Government Info Security website, and then present it as a point of discussion at your next business continuity or information security planning meeting. We would hope that your group would make their own listing of key improvements for information security and cybersecurity which would, of course, be a unique requirement for your own company.
Please share your thoughts and opinions with our community of readers.