C3 – A Cybersecurity Plan for a System Flashcards
C – Cybersecurity Protection Plans
Threat(s) addressed by the protection measure
⚫ the risk number identified in the risk assessment and the risk title should be identified here. Each protection mechanism will address at least one of these risks, but potentially more.
Action(s) to be taken
⚫ a description of all the actions to be taken as part of the protection mechanism. This should be as detailed as possible. For example, saying “Configure Firewall” wouldn’t be enough. What configuration must be performed?
Reasons for the action(s)
⚫ there should be a detailed justification for each protection measure. This is the largest part when documenting each measure. It should explain in detail how the measure will protect against the threats it addresses.
Technical and Financial Constraints
⚫ Difficulties in any technical tasks, such as the configuration of hardware or software, that may require specialist skills.
⚫ Limitations in available hardware or software required to perform security measure (this can also be a financial constraint given requirement to purchase these items).
⚫ Required staff to perform certain protection measures (e.g. security staff) which would be constrained by finances due to salary. This can also include the cost of training.
⚫ We should document any technical or financial factors that need to be considered for each protection measure and state how heavily they may affect us implementing the measure.
Legal Responsibilities
👉 the legislation related to cyber security. These include the:
⚫ Data Protection Act & General Data Protection Regulations
⚫ Computer Misuse Act
⚫ Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations
⚫ Fraud Act
⚫ Health & Safety at Work Act
⚫ You will need to document how these laws may need to be considered when implementing each protection measure. This might be relevant legislation that could impact you if the measure isn’t implemented, or any considerations that might limit your implementation of the measure.
⚫ For example, if implementing software for monitoring network usage, then you’ll need to ensure you consider the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations which govern this.
Usability of the System
👉 We need to document about how any of our protection measures may impact on the usability of the network and computer systems.
⚫ For example, this might be caused by impacts on the performance of the system as a result of the protection measures. Implementing anti-virus scanners on devices running real-time protection may slow down older devices. Backing up by syncing all files to the cloud may slow down save times for files.
👉 It could also slow staff in performing tasks by limiting functions.
⚫For example, new procedures that need to be followed to install software (such as only giving admins the rights to do so) or firewalls may block staff from accessing certain websites they may require.
👉 Finally, there may be an impact on user experience or ease of use.
⚫ For example, implementing a VPN for staff to access the network from home may not be easy for many staff to use.
Cost-Benefit Analysis
👉 As a further part of the cyber security plan, it will be necessary to compare the cost of countering a threat to the supposed benefit one would receive from it. A company will likely only protect against a threat if it is financially sensible to do so. Otherwise, we’d go down the route of “risk acceptance”.
👉 This doesn’t need to involve complex calculations, but a short explanation of what the relevant costs and benefits are and whether the benefits will outweigh the costs.
⚫ For example, anti-malware will cost money to buy, it is necessary to compare this to the benefit that one would receive – that is providing protection from malware that could infect devices on the network. Given anti-virus software is usually quite affordable, the impact of a malware infection will almost certainly be greater and so we can be sure the benefits outweigh the costs.
Test Plan
⚫ Test No.– a sequential number for each test.
⚫ Test Description– a short explanation of what action will be performed to test the system.
⚫ Expected Outcome– a short description of what should happen if you have implemented the protection measure correctly.
⚫ Possible Further Action– a short explanation of what you may need to do if the test fails to ensure that it will pass on a retest.