1. When considering Cybersecurity, what are the roles and responsibilities of an organization?
In any organization, there are set duties, assignments and responsibilities to accomplish department goals, targeted objectives, and outcomes. Employees at every level within a business organization should take their responsibilities about Cybersecurity very seriously and be part of the organization Cybersecurity focus. Every department under the business structure should know what their part within the organization cybersecurity program. Every one, though matter what department they belong to should work as a team to meet and exceed the organization cybersecurity goals.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Having a great cybersecurity program is the responsibility of management and it should be a part of every facet in all sectors of the business. In every organization with an IT department, the IT department is the regulator of the business cybersecurity program. They create the policy, in accordance with the business goals, mission, and objectives. They build, implement and monitor the organization cybersecurity program against the business set goals.
With all this said, the cybersecurity program on an organization is useless without the backing or blessing of the senior leadership or the C-level. The senior leadership is the ones making the decisions based on cyber vulnerabilities and organizational risk. They are the owners of the cybersecurity program and therefore is overall responsible for results good or bad of the business security program.
Despite all the roles and responsibilities of the IT department and the senior leadership, it is of utmost importance that every employee takes cybersecurity seriously within the organization. Every member of the organization should be familiar with the business cybersecurity policies, strategy, and objectives. There should be clear guidelines on the do’s and don’ts for any given situation that could result in a data breach. The main goal of every cybersecurity program is to remove vulnerability and mitigate any loses that may occur from accidental or intentional security protocol violation. Therefore, everyone within the business organization is important players in the organization cybersecurity program and should do everything within their power to keep it safe.
Every organization doing business in this world either for-profit or nonprofit has developed rules, guidelines and best practice for doing business. This falls under the policy guidelines governing the organization day to day operations. The company policy is developed in accordance with organization goals, mission statement, vision statement, and expectations. The policy is developed by senior management which includes department heads, managers and HR. HR takes all the ideas and writes up a formal policy in accordance with the law and distribute it to all employees including new hire in the form of a policy booklet. Carefully planning of policy is vital in other for the business to be viable and competitive. Furthermore, the policy is a communicating tool for all employees on how they should and expected to behave in the work environment. Carefully developing an effective policy guideline and knowing the values you want to instill in all employees sets the tone and company culture. Despite the great attributes a policy can bring to the organization culture, one has to be very careful not to infringe on employees’ rights. Infringing on employees’ rights will demotivate and anger them resulting in diminished productivity. Remember policies with purpose have value.
It the sole responsibility of the business to design policies that will meet the shareholder’s vision, business or organizational missions. The policy should seek to mitigate the burden of regulations, costs, and contractual obligation by monitoring the security program closely. The policy should be designed fairly and it should outline information that is written, spoken, recorded and be protected from accidental or intentional unauthorized destruction or modification for its life expectancy. An organization policy needs to implement controls that protect every system within that organization from malware, ransomware, viruses and any other form of intrusion attack.
At the end of the day, company policy should document in writing how the company plans to protect its data and physical assets. This document should explain how all employees are going to be educated on protecting the organization assets and how security measures should be handled and enforced within the business. This document should constantly be reviewed and updated as technology, mission, goals, and employees change within the business. In other words, it is a living document, addition and subtraction can be made to it in the best interest to the business.
Laws and regulations
In the early stages of the computer networking era, there were no laws governing computer crimes. Victims were left to defend their computer network themselves. The government at that time did not address that issue of computer crime. Honestly, I didn’t think they knew how to address cybercrimes in the early stages. In this modern day, the U.S Government legislatures have laws in place that addresses if not all but most cybersecurity crimes. Today there is a number of laws that protects the computing world from cyber-attacks. Here in the United States, the government legislative body or law makers have established laws and regulation that will send convicted cybercriminals to jail, pay a fine or both depending on what they are found guilty of. These laws are put in place to protect the organization from data breaches and any other form of attack on information technology.
The current legislative role is highly complex in cybersecurity. This role involves protecting and securing federal and none federal system here in the United States and elsewhere the government has invested interest. The government has developed the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. This law was developed to stop cybercriminals from attacking government computers, the network used in the banking system, an in the interstate and commerce industries. The Electronic Communications Privacy Act of 1986 was also enacted to stop bad actors from spying on the organization through electronic means. The National Institute of Standard has the responsibility to design security standards for government computer network system. This responsibility was imposed on NIST with the Computer Security Act of 1987. There are many other laws developed to protect both the federal government and private organization from cybersecurity criminals.
In essence laws and regulation are in place within the cybersecurity framework to protect intellectual property, private, confidential data from bad actors trying to gain unauthorized access for gain or malicious intent. These laws are needed for their intended purpose. The world has evolved and technology has advanced so rapidly that laws and regulation had to be put in place to mitigate and protect victims of cybercrimes. These laws and regulation play a major role in both protecting and assessing punishment for those who do not adhere to them. The cybersecurity world is a better and more comfortable place today than in the past.
Doing business over the internet is risky business at all levels. It’s a matter of time before you get hacked. It’s a matter of when someone will gain unauthorized access to a computer network. Cybersecurity awareness is the ability to understand that your organization is at risk every day and something should be done to protect it. Any business that deals with data have the responsibility to do everything to protect it at all cost. Security awareness allows a business organization to explore a wide range of security controls and measures to stop or mitigate data breaches. Organizations should elevate the needs and efforts to increase security awareness within the business setting to all employees. Their cybersecurity framework should be tested against know attacks in other to evaluate the effectiveness of the system. Doing so will give the organization an idea of what controls they need to put in place to repair any gaps that exist and maybe be taken advantage of.
Cybersecurity awareness is time-consuming at the very least. Consistent and continuous training is needed, testing at know areas of weakness and vulnerabilities. Everyone in the organization should be aware of the possible way hackers tries to get access to your computer network. For example, a hacker instead of trying to exploit a security flaw in an organization security framework it is easier to call and impersonate someone in the business to obtain valuable information. If he or she is capable of getting the information needed they can access the security framework through the front door. Awareness in a business cybersecurity framework should come from the top, CEO, CFO, and managers that want to secure the company’s converted data.
Training can be in person in a classroom setting, online hands one or video. This is a vital function of any business because it ensures that all employees are aware of what to do and not do.
For example, if within an organization your employees cannot make an informed decision on which attachment to open in an email then that leaves the security network vulnerable to phishing attacks. Have policies in place such as all software must be pre-approved before they can be installed and used on the computer network. As we all know the human factor is the most vulnerable in any security framework. A security framework is only as good as its weakest link in the framework. All actors in the should share the responsibility to be aware of the risk that exists and should work together as a team to mitigate those vulnerability concerns. Setting periodic training for employees and testing of the framework for both internal and external threat will set a baseline for risk assessment with the business.
Role of an individual
Every day Cybersecurity keeps evolving and technology keeps getting better. That being said hackers and bad actors keep inventing better more sophisticated ways to penetrate and steal data. Before connecting to the organization Cybersecurity system stop, think how can you protect and take care of personal, private and confidential data within the organization. It is everyone’s role to protect the companies converted data whether you are the janitor or the CEO of the organization. Within the business infrastructure, there are people with different roles and different level of access to the company’s data. Should that matter? Every employee should strive to meet their company’s cybersecurity goals. To protect the company’s data employee within the organization should be educated with the minimum knowledge and or requirement on cybersecurity policy and how it will impact everyone.
All employees should be aware of the general rules, regulations, laws, and requirement that most companies are subjected to if certain criteria are not meet in their cybersecurity efforts. Those laws and regulation are applied depending on the type of business organization. There are financial, health, information data protection and privacy law that a company can be subjected to if contractual obligations are not met. All employees may not know all the details of the requirement but they should at least know the consequences of bad judgment within the cybersecurity framework. A cybersecurity framework that is properly designed should provide detailed information that guides all employees to meet company policy and their professional responsibility towards cybersecurity.
Beyond the normal responsibility of an employee, there should be written procedures to report any security flaw that may arise. This would provide employees the sense and responsibility to report irregularities knowing that it will be dealt with promptly by management. Despite all that, our responsibilities as individuals are never-ending. We must stay vigilant and be aware that cybercriminals are lurking to cause harm in any way possible. There are many ways we can protect that from happening. The use of strong passwords, multiple layer authentications, recognizing phishing attempts, and limiting social media information presence. In any case, an individual role and responsibilities in the organization cybersecurity efforts can either undermined or fill in the gaps in the business security efforts. Employees make a big difference since they are the most vulnerable actors in the cybersecurity program.
An organization cannot have an effective cybersecurity system if there is no way to monitor the framework. Monitoring gives you the ability to see how effective the system is under normal and abnormal situations. Let’s be honest, any business is one click away from closing forever. Cybercriminals are hard at work developing new ways to steal information at whatever cost. Cyber threat monitoring is the best defense against itself. A business is never too small to be exempted from cyber-attacks. In fact, they are the prime targets of such behavior.
Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
As a business, there are a number of threats that can affect the smooth operation of your day to day business operation. There are online scams, identity theft, viruses, ransomware, malware, web-based attacks, fraud just to name a few. Cybercriminals are always looking to steal important data from a targeted government department and business organization. Data such as employee records, banking information, medical and financial records. Once they obtain that important information there is no limit to the extent of damage that can be caused.
Cybersecurity monitoring gives you the possibility to detect vulnerabilities and threat that exist and they can act promptly and accordingly. Without knowing what you are up against leaves your organization open to be hacked. It might not happen for weeks or years but when you least expect it, it will happen and you would be left to deal with the aftermath and fall out. Monitoring an organizational Cybersecurity framework is a vital control mechanism when incorporated with company policies, rules, and regulations. It’s the only way to identify vulnerabilities and risk. It gives you the ideas what your flaws are and from that measures can be implemented to mitigate risk.
Cybersecurity is a complex issue for the most experienced professional much less the end user. Compliance is highly critical in a cybersecurity program. The organization is the Compliance is the first line of defense to mitigate security threats to a security framework. Policies must be set in place to hold perpetrators responsible for not following the security protocol set by the organization at all levels. Everyone with the business structure should hold the responsibility of being compliant with set company cybersecurity policies. That being said, how can a business obtain compliance from its employees? The answer to that question should always be training. If your employees know what’s at stake, they will act appropriately
Training should be consistent, continuous and be mandatory for everyone. The rules and regulation cannot be bent for anyone. There should be clear guidelines on reporting and monitoring of the security framework in the business. In other to have great compliance within your business organization the system has to be continuously evaluated and updated as business goals, mission and employees change. Known vulnerabilities and threats need to be reviewed against protected data information. Ensure that people with access to data have access when they need to. Compliance is directly dependent on an effective security system. your cybersecurity system is only good if it has a purpose.
Have rules in place for employees that violate the business compliance policy within the organization security program. If employees know the consequences of their action, they would be careful about how they use data in the business. That being said a system must be in place to identify the perpetrators. At the end of the day if there is no compliance your company is vulnerable to a wide range of attack which will be costly for the organization.
2. An IT company is implementing BCM as per ISO 22301. Address this standard by describing at least 6 critical processes and include all the necessary fields required by the standard.
Business Continuity Management (BCM) is used by large and small business across all sectors to help with continuity and recovery when faced with problems or when things are simply not working as they should. The ISO 22301 standard provides guidelines and requirements when a business is faced with a disaster situation. Building a business organization is hard work. Much thought has to go into planning from the beginning stages and up to running the business. One has to plan for continuity when disaster strikes. Disaster may not happen today or tomorrow but they are going to happen. A business has to be prepared to deal with that disruption when it occurs. Many companies out there adopt the ISO 22301 standards. This standard gives any organization a framework on how to recover from disruptive situations with minimal risk in the shortest period of time. It allows a business to be resilient and maintain its stature after a disaster. It is wise for a business to adopt that standard. Honestly, it just makes sense because you want your business to grow and be prosperous. For an organization to incorporate the ISO 22301 standard into their business they have to study and thoroughly understand how it works. When the standard is understood they can incorporate their company’s objectives into the objectives of the BCM model. Any organization that uses this model has to be in full compliance with its policies, rules, and regulations. Compliance is very important in order for any business to be certified under ISO22301.
This module has six critical processes that should be adopted and followed when using this standard. Here are the different processes: program management, understanding the organization, determining the BCM strategy, developing and implementing a BCM response, exercising the response, as well as maintaining, reviewing and embedding BCM in the organization’s culture.
In addition to the critical processes or phases, there are steps that must be followed in other for a business organization to have a truly comprehensive continuity plan.
Step 1: Nothing at this magnitude happens with senior management blessings. The top management has to be convinced and be onboard with the plan for business continuity management. Policies must be created, once management has signed off on the BCM standard. This is particularly important since the project will be executed by senior management.
Step 2: Once a policy has been developed key personnel has to be made aware of its existence. The policy must be communicated to People such as stakeholders, vendors and third parties.
Step 3: After all the important people have been made aware of the policy, someone with authority that is capable of implementing the Business Continuity Management plan as per policy must be identified. Normally the identified person who will implement the plan will be working with a team to build the framework that covers everything under the policy scope. The business goals, mission, and objectives must be aligned with the BCM objectives. This should contain or include an acceptable level of risk, legal, regulatory and contractual commitments in order to satisfy the needs and interest of all stakeholders.
Step 4: Using the business continuity management lifecycle examine and point out important function included in the scope of the business continuity management and perform a risk assessment on these particular functions. After you have gotten the results from the risks assessment the business may have to look at other disaster recovery strategies. An incident plan may have to be developed with appropriate response framework.
Step 5: At this stage implementing the previous plans come in handy. A program must be developed to cover different plans that have the same objective as the BCM. All plans must be studied to make sure all flaws and gaps remedied. All plans need to be updated based on the flaws and gaps discovered during the assessment testing.
Step 6: This is the last step in the Business Continuity Management Standard. The plan is carried out which should include managing the entire program. Management should conduct regular reviews, audits, and assessments to ensure the plan is effective. To truly embed the BCM module in the organization culture preventative maintenance and corrective actions must be taken for constant and consistent growth and improvement.
The world we live in is highly competitive and the economy is growing. Vendors and customers don’t have the patience to deal with subpar service and as several companies seek cheaper labor in other countries business organization continue to bring great service at agreed levels and without failure will continue to thrive. Having and following the BCM standard allows a business organization to continue serving excellent product and services during and after surviving a disastrous disaster.
3. What are the emerging and future technologies that an organization as to worry most about from a security perspective?
It is no secret that organizations are under constant threat by cybercriminals. Hackers are always looking for ways to penetrate a government department data or a lucrative business organization cybersecurity defense mechanism. As technology advances so are the need to constantly update security defense systems. The advancement of technology brings added loopholes that need to be addressed. Periodic testing on an organization security framework provides vulnerability weak points in the system. The result of these testing, one would think the results are used for defensive purposes. We all know that some of the data breaches that have occurred in the past have been the result of an inside job. That raises the question, who can you trust within the organization? Honestly, I think when it comes down to cybersecurity you can’t trust anyone. We, humans, are the most vulnerable in the security framework. Humans can be paid off by outside actors, they can be unhappy and decide to turn on the organization. Therefore, the insider threat has been one of the formidable concerns of any organization on a security level within the business.
There was and will always be a danger with emerging technology. Technology brings added headaches to IT professional every day. It is a fact that username and passwords used by end users are very weak. Utilizing subpar user name and passwords are gifts to hackers, they gain access to important data and maximize the damage. This practice puts enormous pressure on cybersecurity professional to develop suitable authentication methods that are really and truly secure. Hardware authentication is one of those emerging technology that worries many businesses. It’s a growing trend and IT professional has to develop hardware authentication for network security systems.
Another emerging technology that can present problems is the Internet of Things. In today’s world, every electronic gadget that we use has the capability of going online. Cell phone, watches, game consoles, a smart thermostat that can change temperature setting just to name a few. These are an additional access point that can be exploited by hackers. When new and emerging technologies like that come to the market they are adopted quickly by consumers. This is very dangerous because they have not had the chance to be tested thoroughly. Here is an example of the Amazon Alexa assistant which operates on the Amazon-dot systems. This system has different settings, one of the setting is to always record. I remember CNN reported an incident where a family accidentally switch the setting to always record. Alexia recorded their conversation and send it to all the contact list via email. This is scary in and of itself. This goes to show with growing technology and our hunger as humans to adapt to new gadgets without understanding their full capabilities can put us in difficult circumstances. New technology with security flaws that have not yet been discovered can be a security nightmare for a business organization. A nightmare that they might not be able to recover from.
4. Explain the need for Business Continuity-Disaster Recovery Planning.
Doing business is a great thing if everything runs perfectly. As we all know there is no such thing as a perfect way of doing anything. This is true in the business arena. Things are going to happen which is not in the best interest of the day to day operation
Of any business. Natural disasters such as hurricanes, tornadoes, floods, fire, and volcanoes can happen at any given time. Your business could be a victim of a serious data breach. All of the previously mentioned scenarios can seriously affect how business is run. To counteract those on foreseen events every company should have a continuity disaster recovery plan. Planning for the worst case and how the company is going to limit their downtime. The ultimate goal of the disaster recovery plan is to limit every potential risk and get the organization running as close to normal in the shortest period of time. Interruption is going to happen in any business lifetime. A solid disaster recovery plan must be in place. This puts confidence in your business partners and customers mind that your organization will be resilient and will be around for a long time. Your place in the business market won’t be swept away that easily due to lack of planning for the worst case disaster scenarios.
- Advisera (2016) Clause-by-clause explanation of ISO 22301. Advisera Expert Solutions Ltd. White paper. 27001 Academy. Retrieved February 23, 2019 from http://info.advisera.com/hubfs/27001Academy/27001Academy_FreeDownloads/Clause_by_clause_explanation_of_ISO_22301_EN.pdf?t=1491297687100
- Austin, Dave., Tnagen, Stefan. (2012) Business continuity – ISO 22301 when things go seriously wrong. International Organization for Standardization (ISO) business continuity commentary article. Retrieved February 23, 2019, from www.iso.org
- Bakertilly (2017) Monitoring and verifying cybersecurity controls effectiveness. Baker Tilly Virchow Krause, LLP. Bakertilly Insights commentary Article. Retrieved February 23, 2019, from https://www.bakertilly.com/insights/monitoring-and-verifying-cybersecurity-controls-effectiveness/
- Delgado, Rick (2018) 3 Emerging Innovations in Technology that Will Impact Cyber Security. Tripwire Security Awareness commentary. Retrieved February 23, 2019, from https://www.tripwire.com/state-of-security/featured/emerging-technology-cyber-security/
- GAO-13-187 (2013) National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented. Government Accountability Office. Report to Congressional Address. Retrieved February 23, 2019, from https://www.gao.gov/assets/660/652170.pdf
- Giles, Martin. (2018) Six Cyber Threats to Really Worry About in 2018. MIT Tech Review. Retrieved February 23, 2019, from https://www.technologyreview.com/s/609641/six-cyber-threats-to-really-worry-about-in-2018/
- ITU (2009) Cybersecurity: The Role and Responsibilities Of An Effective Regulator. ITU Telecommunication Development Sector. 9th ITU Global Symposium for Regulator. ITU findings report paper. Retrieved February 23, 2019, from http://www.itu.int/ITU-D/treg/events/seminars/gsr/GSR09/doc/GSR-background-paper-on-cybersecurity-2009.pdf
- McDermott, John (2016) Cyber Security Responsibilities for Your Organization. Learning Tree cybersecurity Blog. Retrieved February 23, 2019, from https://blog.learningtree.com/cyber-security-responsibilities-for-your-organization/
- Praxiom (2017) ISO 22301 Translated into plain English. Praxiom Research Group Limited. ISO 22301 2012 standard analysis. Retrieved February 23, 2019 from http://www.praxiom.com/iso-22301.htm
- Slater, Derek (2015) Business continuity and disaster recovery planning: The basics. CSOonline IDG group. Retrieved February 23, 2019, from https://www.csoonline.com/article/2118605/disaster-recovery/business-continuity-and-disaster-recovery-planning-the-basics.html
Cite This Work
To export a reference to this article please select a referencing style below: