Produce user security policies that describe acceptable and secure use of your organisation’s ICT systems. These should be formally acknowledged in employment terms and conditions. All users should receive regular training on the cyber risks they face as employees and individuals. Security related roles (such as system administrators, incident management team members and forensic investigators) will require specialist training.
The Obama administration is seeking a $5 billion funding increase for cybersecurity for the fiscal year 2017. Here’s why it matters.
US President Barack Obama recently laid out his budget proposal for the 2017 fiscal year and it included $19 billion for cybersecurity initiatives within the government itself. This marks an increase of $5 billion, or 36%, from the prior budget.
The budget proposal comes as part of the President’s Cybersecurity National Action Plan (CNAP). The CNAP also includes the proposed action of establishing a “Commission on Enhancing National Cybersecurity.”
The commission will be made up of non-government thought leaders who’ll have the job of “making detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of government, to protect privacy, to maintain public safety and economic and national security, and to empower Americans to take better control of their digital security,” according to a White House press release.
The CNAP also puts aside $3.1 billion for modernization of IT throughout government agencies, and $62 million will be allotted for grants and scholarships to help interested citizens learn the necessary skills to become a cybersecurity expert. And, it will bolster student loan forgiveness for cybersecurity experts who join the federal workforce.
Another part of that modernization fund will be the formation of a new position in the government: Federal Chief Information Security Officer.
The news comes just hours after a purported hack of the FBI and Department of Homeland Security (DHS). In this attack, data was leaked on some 20,000 FBI employees and 9,000 DHS employees. Last year, the Office of Personnel Management faced similar challenges when it experienced a hack that leaked information on 22 million people.
Additionally, just a few days ago, the US Government Accountability Office (GAO) called out the DHS’s $5.7 billion cyber-defense system, Einstein, as being ineffective.
Cybersecurity has played a key role in the upcoming presidential election, with some candidates going as far as publishing cybersecurity plans on their websites, and others publicly calling out perceived failings of the US government to take action against potential threats.
The CNAP also addresses cybersecurity for citizens in encouraging them to move beyond a simple password and consider multi-factor authentication to protect their personal information. To protect government services that are citizen-facing, the plan will ramp up strong multi-factor authentication and identity proofing in those particular services as well.
While the $19 billion budget has been set forth, it still has to be approved by the US Congress before it can go into effect.
The Obama administration is proposing a 36% increase in cybersecurity funding for the 2017 budget. That could mean more jobs for cybersecurity analysts or more opportunities for government contractors to help cybersecurity modernization efforts.
The Cybersecurity National Action Plan (CNAP) includes funding for the training of cybersecurity professionals, and potential loan forgiveness for those who wish to pursue that career in a federal government job.
One of the budget proposals also includes funding for the first ever Federal Chief Information Security Officer, which would help justify the CISO title and have a trickle down effect on other government agencies as well as the private sector.
Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure) and develop appropriate security policies. Train mobile users on the secure use of their mobile devices for locations they will be working from. Apply the secure baseline build to all types of mobile device used. Protect data-at-rest using encryption (if the device supports it) and protect data-in-transit using an appropriately configured Virtual Private Network (VPN).
Produce removable media policies that control the use of removable media for the import and export of information. Where the use of removable media is unavoidable, limit the types of media that can be used together with the users, systems, and types of information that can be transferred. Scan all media for malware using a standalone media scanner before any data is imported into your organisation’s system.
Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your organisation’s incident management policies. Continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate attacks and the compromise of data. Monitor all ICT systems using Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Systems (NIPS/HIDS).
Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All incident management plans (including disaster recovery and business continuity) should be regularly tested. Your incident response team may need specialist training across a range of technical and non-technical areas. Report online crimes to the relevant law enforcement agency to help the UK build a clear view of the national threat and deliver an appropriate response.
All users of your ICT systems should only be provided with the user privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities. Monitor user activity, particularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords and deletion of accounts and audit logs).
Connecting to untrusted networks (such as the Internet) can expose your organisation to cyber attacks. Follow recognised network design principles when configuring perimeter and internal network segments, and ensure all network devices are configured to the secure baseline build. Filter all traffic at the network perimeter so that only traffic required to support your business is allowed, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack (or attempted attack).
Introduce corporate policies and processes to develop secure baseline builds, and manage the configuration and use of your ICT systems. Remove or disable unnecessary functionality from ICT systems, and keep them patched against known vulnerabilities. Failing to do this will expose your business to threats and vulnerabilities, and increase risk to the confidentiality, integrity and availability of systems and information.
Assess the risks to your organisation’s information assets with the same vigour as you would for legal, regulatory, financial or operational risk. To achieve this, embed an Information Risk Management Regime across your organisation, supported by the Board, senior managers and an empowered information assurance (IA) structure. Consider communicating your risk management policy across your organisation to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries.