Sample Technology Paper on Strategic Cybersecurity Risk Management for MediaKind

Strategic Cybersecurity Risk Management Plan

1          Mission statement:

Design and implement a cybersecurity risk management program for the organization for adoption in the Company’s strategic plan.

2         Vision statement:

Cultivate a security-focused mindset into all our business assets and operations.

3         Introduction

From the earlier days, being in an environment that guaranteed the security of property and human was vital. This concept was shielded by the existence of warriors who were tasked with this critical responsibility. Their training goes without saying that they all had to internalize the idea of securing the community or clan assets at all cost. However, with time, assets and properties have shifted platforms and environments and have become digital. This means that there are virtual assets that have become more important to secure, and their risk and exposure has continued to increase every day. Depending on the value of the stored, Von Solms, & Van Niekerk, (2013), argued that the digital value of the commodity, risk vary from asset to asset and from entity to entity. These threats to assets originate from all the side ranging from competition to malice and curiosity. Mediakind is one of the organizations that rely on digital platforms in all its operations. This places it at an elevated risk level bearing in mind the business it is in and the category of value it handles.

Mediakind is an entity that deals with media creation, gathering, processing, delivery, and storage. This enables the platform to be able to avail customized media to its client anywhere and anytime. The environment calls for the usage of various platforms that includes cloud technology, the internet, and numerous hardware platforms that ensure that this is done efficiently. The company has been able to develop a good relationship with its customers. This is coupled with the numerous global awards and presentations the company has at its disposal. Therefore, we can say that Mediakind has become a market leader in the media industry, and this alone puts it to so much risk. On top of this, the company has also partnered with many other entities to assist them in delivering their media content to the customers. Fortunately, Mediakind can establish end to end connection anywhere at any time. To ensure continuity in this rate of innovation and competitiveness, the company requires to understand that it holds a precious position in the media industry and the global market and economy. Therefore, ensuring that their infrastructures are perennially secured is a critical point as technologies advances and threat increases.  It will be necessary for Mediakind to assess its vulnerabilities and ensure intruders will not be able to compromise their territories as this may be to bringing serious consequences across the board. Luiijf, Besseling & De Graaf,(2013) argued that, proper cybersecurity risk management plan is mandatory due to existing threats ratios. This document, therefore, lays bare the strategic cybersecurity risk management plan for Mediakind for efficient and secure infrastructure. This will also ensure their continued dominance in the market field.

4         Standard and Regulatory References

 

# Document Identifier Document Title
1 ISO 27001

 Information security management systems — Requirements (second edition)

 

2 PCI DSS Pci Dss Documentation Toolkit

5         Definitions

According to Öğüt, Raghunathan, & Menon,(2011), cybersecurity risk is the potential of a given threat to exploit a vulnerability of an entity asset or assets that will cause harm to an organization.

6         Conventions

Cybersecurity risk and Security risk are here deemed to have the same meaning I context and application.

7         Responsibilities

In the earlier days of security risk management, small groups of IT staff would be tasked with the responsibility of ensuring the entire information systems strategy works according to expectation. However, modern operating environments are changing and demanding the inclusion of much other personnel. This is in an attempt to come up with comprehensive and exhaustive information pertaining entities risk position and possible vulnerabilities that can be exploited and therefore come up with a mitigation plan.

8         The Strategic Cybersecurity Risk Management Team

Person Responsibility
Audit manager To input on various fraud cases that may have been identified
QA Manager To liaise with employees for the availability of services and quality as stipulated
System administrator To input on hardware vulnerabilities that need to be addressed
Security analyst To Compile risks and vulnerabilities and present a solution for discussion
Security architect To design a solution for identified risk vulnerabilities
Security engineer Implement security solutions to protect MediaKind
Operations Manager To avail responses and suggestion operating the systems operating deficiencies and user concerns
HR manager To coordinate and organize the team during the meetings
Finance manager Together with the audit manager, they will give inputs about financial systems vulnerabilities.
CISO To ensure that the agreed solutions have been implemented to ensure business continuity.

 

Therefore, the above Mediakind personnel will be tasked with the responsibility to steer the strategic plan and elevate the current security levels to the required standards. This group of people will also be responsible for making alterations and updates to this document to enable responses to new threats and change in operating environments.

9         Cyber Risk Management Process

CyberSecurity management is a continuous process and therefore, it can be represented by the below chart

9.1        Risk Management Flow Chart

Source: https://www.google.com

10      Assets Identification

For effective implementation of CyberSecurity plan, Disterer, (2013),advised that it is essential to identify assets and establish their boundaries. In the case of MediaKind, the following assets have been identified.

An asset is anything deemed of value to the company or the manufacturer of the asset.

10.1     Hardware and Software Resources

  • The server Hardware
  • The server Software
  • End-user applications
  • End user nodes

Operations Environment

  • Server Environment
  • User Environment
  • Intranet
  • Extranet
  • Web Access

10.2     Additional devices

Smartphone access

  • Tv access
  • Transmission channels

10.3     The processes involved in the service

  • Media Creation
  • Media Storage
  • Media processing
  • Media Transmission
  • Internal processes
  • Customer service
  • Cloud Services

10.4     Information assets

  • Multimedia Data
  • Configuration data,
  • Logs files

10.5     Network Assets

  • Wifi, adapters,
  • Connectors
  • Routers
  • Switches
  • NIC cards

10.6     Network interfaces and protocols

  • HTTP, UDP, TCP
  • Network Ports

All these assets are essential to the organization and shall be secured to the maximum possible level. They form the operating environment and therefore, core to the sustainability of the entity operations.

10.7     The user groups

  • Internal users
  • Client users,
  • Administrators
  • Managers
  • Customer service personnel

11      Training

Research by Boyce et al. (2011) commended continuous and regular updates of user knowledge of the current information systems and the risks they are associated with their use.

Due to a varying degree of knowledge and areas of expertise, members will be given a mandatory training session in selected places. This will ensure that they gather required experience in cybersecurity and avoid exposing themselves and the company at large. However, refresher courses and training will be offered for those users who are vital in implementing the strategy. In so doing, users will be required to take responsibility for their actions in case of breach due to user negligence. These training will be focusing on a few attack trends and techniques.

In this case, all administrator in the class of super users will be required to attend a refresher or advancement course monthly in the field of cybersecurity. Super users will include Information Systems staff and all managers in MediaKind. This knowledge and expertise are expended to be shared amongst other staff members due to new threats and discoveries.

12      Constraints

Data will be made available through internet technology as well as dedicated and private networks. This will be ensured by ensuring network redundancy and backup media in the cloud facility. Risk IT Framework for Management of IT Related Business Risks. (n.d.), acknowledged, to ensure maximum security of the assets, users access levels and access rights will be awarded on least knowledge basis. More clearance will be given on demand. This will include access to server rooms, both in-house and on the cloud platform. However, the CISO and the all network security personnel will be granted Administrative rights to be able to reset/override and revise user access levels. This is to enable detection and immediate correction of animalities during operations. However, we will establish a continuous relationship with all hardware and software manufacturers to maximize our security with patches and updates. This will also ensure that we continue to receive documentation on operating these assets to the optimum capacity.

13      Risk assessment

This document therefore sets the standards for risk identification, analysis and evaluation to meet the objectives of the process and also to rank priorities on systems and risks.

In case of any security occurrence, a preliminary assessment will be conducted by the security group committee to review the overall status of the security in the organization. This will also assist in evaluating immediate response actions before the threat is contained and eliminated.

13.1     Threats

Threats are entities or activities that are likely to cause damage to our assets. In the case of Mediakind, we have identified the following as our threats:

  • Criminal organizations (Black hat hackers)- these may compromise resource integrity and therefore cause loss of an unknown volume.
  • Inexperienced users- This is a primary consideration, and this is why the organization will conduct continuous refresher courses to update skills and possibly improve performance.
  • Natural events- The cause of these events cannot be controlled, and the remedies will include backups strategies and redundancy plans. This will ensure services will continue being offered to our customers without interruptions.

14      Existing Controls

Due to evolving technologies and threats in the past, MediaKind has various security plans in place. However, modern attack techniques and the level of the business competitiveness has forced the company to have a proper procedure to be followed in this process. The company has in place firewalls, registered antivirus software, user policies, and usage monitoring tools. We have also been monitoring our networks and ensured that all our data leaving and coming to our assets is fully encrypted using asymmetric encryption methods. This has helped significantly to reduce risk, but a strategic approach has become fundamental.

With effect to this, these methods have been affective, and due to budgets allocations for the departments in the past, they have played a significant role. But it has been observed that they are not able to continue serving the company properly. Therefore, it has been recommended that a more exhaustive process be put in place that will identify assets and assign priorities of risk and approach techniques.

15      Vulnerabilities

From a past evaluation, the company is vulnerable due to various factors. It has been noted that many users have not been changing their passwords as required, and some have been recording them on physical objects. It’s also worth noting that email scanners have not been working most of the time and this has placed the company assets at considerable risk.

With assessment conducted and reported, servers have not been updated regularly.

On the corporate angle, we have outgrown many of our competitors and attained a global image. This has increased risk and made us vulnerable to attacks from all aspects. Our services also are superb, and many would want to steal our technologies to further their business ambitions. We have also noted that internal threats make us more vulnerable to attacks and therefore, we call our people to report any issue that may raise concern on system usage.

16      Consequences

With this in mind, we wish to regret the unexpected case where we do not implement this strategy. This because the damage may be disastrous and irreversible. In such a case, we will lose our credibility to do business with both our strategic partners and our customers. Therefore, we call for proactivity in all corners of the organization to ensure the sustainability of the business. A study conducted by Liu, Xiao, Li, Liang, & Chen, (2012) advised that all information pertaining our Assets, vulnerabilities, threats, current controls, and consequences should always be recorded in the security risk assessment report and we wish to conform to this great idea.

17      Analysis

In this process, all risks will be ranked according to their likelihood of taking advantage of a vulnerability and the impact they can cause in the entity Bhagat, (2012). This will also take note of the data collected in the assessment stages. The respective departmental head will be required to provide an analysis of possible impact in the departments to be able to prioritize and take measures accordingly. The results of this stage must be recorded in the risk assessment report.

18      Evaluation

The RPN (Risk Priority Number) will be extracted from the acceptance criteria, as stated in section 18 below. This will also include legal implication and regulatory requirements in case of a security occurrence. The results of the stage will be recorded, as well.

19      Risk treatment

According to Martin, & Kung, (2018), risk treatment is the process that is used contain a risk. Due to the category of business that MediaKind is in, all risks will be treated in different ways, which will include one or more of the following:

  1. Modification or control- This will employ the following order of approach
  2. Retention,