Cybersecurity is Everyone's Job - A Publication of the National Initiative for Cybersecurity Education Working Group Subgroup on Workforce ...

 
Cybersecurity is
Everyone’s Job
A Publication of the
National Initiative for Cybersecurity Education Working Group
Subgroup on Workforce Management at the
National Institute of Standards and Technology

                                                    1 | v1.0
Abstract
This guidebook outlines what each member of an organization should do to protect it from cyber threats, based on the
types of work performed by the individual.
It is aligned with the strategic goals of the National Initiative for Cybersecurity Education (NICE), a program of the
National Institute of Standards and Technology (NIST). The need for this paper was identified by the Workforce Man-
agement subgroup of the NICE Working Group (NICEWG), a voluntary collaboration of industry, academic and
government representatives formed to facilitate, develop and promote cybersecurity workforce management guidance
and measurement approaches that create a culture where the workforce is managed and engaged to effectively address
the cybersecurity risks of their organization.

Disclaimer
This is not an official publication of the U.S. government. The guidelines provided in this guidebook are non-binding,
non-regulatory recommendations. Authors and editors are not liable for circumstances arising from the implementa-
tion of these recommendations.
Published October 2018
https://www.nist.gov/itl/applied-cybersecurity/nice/workforce-management-guidebook
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International License, at https://creativecommons.org/licenses/by-nc-sa/4.0

                                                   2 | v1.0
Contents
Abstract.........................................................................................................................................................................2
Introduction..................................................................................................................................................................4
Building a Cyber-Secure Culture...................................................................................................................................6
Leadership, Planning, and Governance..........................................................................................................................7
Sales, Marketing, and Communications........................................................................................................................9
Facilities, Physical Systems, and Operations................................................................................................................11
Finance and Administration........................................................................................................................................13
Human Resources.......................................................................................................................................................15
Legal and Compliance.................................................................................................................................................17
Information Technology..............................................................................................................................................19
Appendix 1: Doing the Right Things...........................................................................................................................21
Appendix 2: Project Team...........................................................................................................................................22
Appendix 3: Methodology...........................................................................................................................................24
Appendix 4: Where to Learn More..............................................................................................................................25

                                                                                         3 | v1.0
Introduction
We are the greatest vulnerability in any organization.            encouraged to exercise good hygiene such as washing
In this era of persistent cyber threats, an organization can      hands and seeking preventative care through immuniza-
be secure only with the active participation of everyone.         tions, and even children are well versed in best practices
Unfortunately, many organizations limit security respon-          for covering your mouth when you sneeze, handwashing
sibilities to designated security personnel that perform          and so forth. Even when well-trained medical profes-
specialized security functions. Effective security must be        sionals are delivering exceptional care in a robust health
enterprise-wide, involving everyone in fulfilling security        care system, the spread of diseases is primarily prevented
responsibilities. Each member of the group, from the              through good hygiene. Similarly for good “cyber hygiene,”
newest employee to the chief executive, holds the power           when each of us takes appropriate care, we protect the
to harm or to help, to weaken or strengthen, the organi-          larger community.
zation’s security posture.                                        Another common misunderstanding is that organizations
This guidebook outlines what each of us should do to pro-         just need to hire more technically-savvy cybersecurity
tect the organization, based on the types of work we do.          professionals. Without a doubt, these skilled people
                                                                  are very important. Without them, essential technical
                                                                  safeguards could not be implemented, ongoing security
                                                                  operations would not be conducted, and there would be
                                                                  no one to respond to the next cyber incident. However,
  Cybersecurity                                                   the largest “attack surface” of the organization is you and
                                                                  me—the people who perform common functions: Lead-
  Measures taken to protect a computer or computer system
                                                                  ership, Planning, and Governance; Sales, Marketing, and
  (as on the Internet) against unauthorized access or attack
                                                                  Communications; Facilities, Physical Systems, and Oper-
  (Merriam-Webster).
                                                                  ations; Finance and Administration; Human Resources;
                                                                  Legal and Compliance; and routine Information Techno­
                                                                  logy operations. Therefore, cybersecurity is everyone’s job.
Benefits of this Guidebook
 • Helps you to know what you need to do, based on                Who Can Use this Guidebook?
   your role                                                      This guidebook is intended for every kind of organiza-
 • Engages all functions and roles—technical and                  tion, from large government agencies and publicly-
   non-technical—in securing critical information and             traded corporations to nonprofits and small, family-
   systems                                                        owned businesses, since all organizations must perform
 • Provides essential, must-do-first guidance in plain            common, essential activities. These functions include
   language                                                       generating revenue, communicating with external cus-
                                                                  tomers and stakeholders, delivering products and services,
 • Turns the organization’s greatest vulnerability—its
   people—into the organization’s greatest asset                  leading people, and managing financial and legal matters,
                                                                  all of which depend on computing systems. Each of these
                                                                  areas routinely exposes the organization to a variety of
Why this Guidebook is Needed                                      cyber-related business risks. To reduce these risks, each
Contrary to the common misunderstanding that cyber                person in each business function must be involved, un-
threats are a technology problem looking for a technology         derstanding your role and taking individual responsibility
solution, the data clearly and consistently shows that em-        for mitigating cyber risks.
ployees are the greatest vulnerability of any organization.       In the following pages, you’ll find practical guidelines
This means that no matter how robust the technology               for action, organized by business function. Many of
is, or how many cybersecurity policies the Chief Infor-           these tasks are simple… so simple that they might seem
mation Security Officer (CISO) may have introduced,               inconsequential. But these guidelines reflect proven best
the organization cannot be secure without all individuals         practices developed by security experts from government,
doing their part, across all business functions, technical        industry and academia.
and non-technical.
                                                                  The cybersecurity of your organization depends on you,
Consider how dependent our public health is on the                and here’s what you can do.
active participation of everyone. We are all educated and

                                                       4 | v1.0
How to Use this Guidebook
This guidebook is organized by business function—those
essential activities which all organizations must perform
to at least some extent. Each function represents work
that may be performed by a number of formal job roles,
or they may be performed by one person, depending
on the size of the organization. They are intended for
full-time employees, part-time hires, leaders at all levels,
and those who perform tasks in that particular business
function, even if their primary role is elsewhere. The goal
is to build a cyber-secure workforce, with each person
doing their part to secure the organization.
The business functions are presented as seven categories:

  »» Leadership, Planning, and Governance

  »» Sales, Marketing, and Communications

  »» Facilities, Physical Systems, and Operations

  »» Finance and Administration

  »» Human Resources

  »» Legal and Compliance

  »» Information Technology

Each section is written so that it may be used as a stand-
alone reference for that particular business function;
therefore, some of the guidelines will appear in multiple
sections.
Additional resources, references and information on
how this guidebook was developed are contained in the
appendices.
Please note that the information in this guidebook is not
intended to replace your organization’s security policies;
rather, it provides a supplemental quick reference of ac-
tions that each person can perform to ensure the organi-
zation’s cyber resilience.
This document can be shared as-is, or organizations may
tailor it to their needs and communication methods—in
materials such as booklets, webpages, publications, or
webinars. The intent is for users to understand how every-
one in an organization—across all business functions and
roles—can enforce the cybersecurity posture of their or-
ganization. For more information on acceptable use and
sharing, please refer to the Creative Commons licensing
terms for Attribution-NonCommercial-ShareAlike 4.0
International License, at https://creativecommons.org/
licenses/by-nc-sa/4.0

                                                               5 | v1.0
Building a Cyber-Secure Culture
Your organization’s culture is critical to establishing a suc-    Awareness Month is a particularly good time to empha-
cessful cybersecurity posture. Its culture must emphasize,        size these themes.
reinforce, and drive behavior toward security. A resilient
workforce will not exist without a cyber-secure culture.          Performance Management
                                                                  Incentives and disincentives can have a profound impact
Mindset                                                           on human behavior. For real cultural change to occur in
Mindset is a critical component of culture. When we               cybersecurity preparedness, individual performance goals
build awareness into the organizational culture, we               must align with the goals of the organization. Performance
increase our ability to address cyber risks. Every organi-        goals for security can include completion of required
zation is at risk, whether a small non-profit or a Fortune        training, improved responses to phishing exercises, compli-
100 company. Given the prevalence of cyber attacks, we            ance with policies, and avoidance of risky online behaviors.
need to stay alert and prepared. Mindset will drive appro-        Financial and operational metrics are common in organiza-
priate behaviors at the individual level, contributing to         tions; security metrics should be also.
the resilient workforce that every organization needs.
                                                                  Technical and
Leadership                                                        Policy Reinforcement
The organization’s leaders set the tone. Leadership is            Technical controls associated with human behavior can
the most important factor to influencing awareness and            be implemented to reinforce cyber-secure culture. Just as
mindset. Leaders must embrace cybersecurity education,            physical access controls reinforce the mental awareness of
awareness and best practices. Leaders must also support           a physical perimeter, so can password policies, multi-
security investments, and champion cybersecurity in               factor authentication and mobile device management
enterprise risk management. Deep technical knowledge              solutions reinforce security culture. Policy at the organiza-
is not required from leaders; rather, they should model           tional level can also drive implementation of controls by
good personal security habits based on sound guidelines.          outlining the negative consequences of non-compliance.
Leadership involvement is critical for a cyber-secure
organization.                                                     There are many ways that these guidelines can be imple-
                                                                  mented, reflecting the unique culture of each organiza-
                                                                  tion. What matters is that they form the basis for devel-
Training and Awareness                                            oping a cyber-secure culture by increasing awareness and
Once leaders foster a cyber-secure culture, the next step         fostering the right mindset. With a sound cyber-secure
is to implement employee awareness training. These                culture in place, each business function can focus on its
programs build an understanding of risks, and—most                own contribution to protect the organization.
importantly—provide specific steps for mitigating them.
Training programs come in many forms; most involve
computer-based learning modules and practical exercises.
The use of social engineering, or manipulation, to spread
exploits via unsuspecting employees is an increasing risk.
They may have access to the targeted data or systems
themselves, or may be exploited to reach those who do. A
key element in a training program is hardening your em-
ployees to the reality of socially engineered exploits. No
program will lead to a sustained 100% success rate against
human-based exploits, but can substantially reduce the
volume and the impact of attacks; your cyber defenders
can focus on a smaller, more manageable set of incidents.
Another common way to help build cyber-secure culture
is through internal awareness campaigns. From posters
and newsletters to contests and prize drawings, organiza-
tions have found effective ways to generate “buzz” around
important security themes. While these methods should
be employed year round, October’s National Cybersecurity

                                                       6 | v1.0
Leadership, Planning, and Governance
Setting overall direction, establishing priorities,                      service providers and educators
maintaining influence, and mitigating risks                           »» Regularly commission objective risk assessments
                                                                         of the organization
                                                                      »» Direct the implementation of cybersecurity best
What Leadership, Planning, and                                           practice frameworks, maintained by authori-
Governance Does                                                          tative entities such as the National Institute of
                                                                         Standards and Technology (NIST), Center for
If you are responsible for the overall strategic direction               Internet Security (CIS), and International Orga-
of the organization, or for maintaining controls and                     nization for Standardization (ISO)
mitigating risks, this section applies to you. Leadership,       • Include cyber risks in the enterprise risk
Planning, and Governance professionals are often the               management process
most senior leaders, or are directly supporting strategic
                                                                      »» Avoid treating cyber risks as a separate and mys-
decision makers. You may be involved in board proceed-                   terious matter only for technologists
ings, contribute as senior level management or manage a
complex government agency, with fiduciary responsibility              »» Understand the organizational impacts of cyber
and budget authority. Or, you could be the owner-op-                     incidents
erator of a small business or franchise. What all these               »» Consider risks introduced by partners and sup-
roles have in common is that final decisions are made by                 pliers
you, or you are supporting those who make those de-                   »» Conduct exercises and decision-making drills to
cisions. Because competing demands must be balanced                      familiarize yourself and your organization with
and limited resources allocated, you play a crucial role in              how to respond to disasters and security inci-
establishing priorities and ensuring adherence to them. At               dents
the same time, strategic risks to the organization must be            »» Prioritize cyber-related risks to ensure appropri-
addressed. You are often the arbiter of difficult decisions.             ate attention and effort is committed to their
You matter to the organization, because without you,                     mitigation
the organization lacks direction and cohesion. You are           • Develop and maintain organizational information
the hub of the wheel—connecting to, coordinating, and              security policies and standards
driving the many parts of the business.                               »» Ensure that information security policies are
                                                                         informed by risk assessments, regulations, and
                                                                         standards/best practices
The Role of Leadership, Planning,
                                                                      »» Ensure organizational security policies are ap-
and Governance in Cybersecurity                                          propriately implemented, institutionalized and
is All About:                                                            communicated
 1. Managing and mitigating overall cyber-related busi-               »» Be aware of relevant data protection / privacy
    ness risks                                                           regulations and legislation to ensure that your
 2. Establishing effective governance controls
 3. Prioritizing and resourcing cybersecurity programs            Your title includes words like:
 4. Safeguarding the sensitive information you rely on for
                                                                  Director, Board, Chairman, Chief, Executive, Command-
    planning and decision making
                                                                  er, President, Vice President, Partner, Principal, Owner,
 5. Establishing a cyber-secure culture within the organi-        Founder, Secretary, Consultant, Strategy, Governance,
    zation                                                        Risk, Intelligence, Controls

What Leadership, Planning, and Governance                         Information and systems you own,
professionals should do:                                          manage, or use:
 • Understand cybersecurity basics and best practices well        • Strategic plans
   enough to enable sound decision making                         • Intellectual property
      »» Establish a routine reporting process for cyber          • Board and senior management proceedings
         risks within the organization                            • Financial records
                                                                  • Merger and acquisition information
      »» Engage with trusted third parties to learn about
                                                                  • Third-party recommendations and reports
         cyber risks and their mitigations—this includes
                                                                  • Routine communications of a sensitive nature
         consultants, industry groups, and cybersecurity

                                                               7 | v1.0
organization remains in compliance, e.g., Gener-     • When traveling, secure your connections to the enter-
         al Data Protection Regulation (GDPR), Health           prise
         Insurance Portability and Accountability Act              »» Do not enter sensitive information on public
         (HIPAA), Federal Information Security Manage-                computers, such as in hotel lobbies, libraries and
         ment Act (FISMA), Freedom of Information Act                 internet cafés
         (FOIA), Sarbanes-Oxley (SOX), Family Educa-
         tional Rights and Privacy Act (FERPA)                     »» Use VPN access to corporate networks whenever
                                                                      possible
      »» Have a schedule in place to regularly review and
         update policies                                           »» Do not use public Wi-Fi without VPN to trans-
                                                                      mit sensitive information
• Promote the development of effective cross-functional
  teams to accomplish cybersecurity goals for the orga-            »» Use a dedicated wireless hotspot for internet
  nization.                                                           access
• Adequately fund cybersecurity resource requests                  »» If a hotspot is not available, consider tethering to
                                                                      a corporate or business-issued cell phone
      »» Digital assets cannot be protected without hu-
         man and technical resources; be ready to commit           »» Consider using disposable phones when travel-
         resources aligned to a cohesive cybersecurity                ing in regions with questionable data security or
         strategy                                                     excessive surveillance
      »» Plan for future needs                                     »» Physically protect your computer from theft and
                                                                      unauthorized access
• Protect sensitive strategic, financial, legal, and risk
  information                                                 • Use social media wisely
      »» Share only necessary information                          »» Apply strong privacy settings
      »» Ensure the information is retained/destroyed in           »» Don’t share personal information on business
         compliance with the organization’s data retention            accounts
         policies or external regulations                          »» Don’t share business information on personal
      »» Use strong encryption, strong passwords, and                 accounts
         other methods to secure files when you transfer
         them to others
• Protect access to online file sharing or decision
  support platforms by applying best practices, such as:
      »» Strong passphrases
      »» Unique passphrases for each critical account
      »» Multi-factor authentication
What we all should do:
• Ensure that all operating systems and applications are
  at their most current and secure version by enabling
  automatic updates from the vendor
• When working from home, secure your home network
  by applying best practices (see NIST SP 800-46 Rev. 2),
  such as:
      »» Change your wireless router password, SSID, and
                                                               A note to leaders
         limit ability of others to find it
      »» Maximize encryption levels on your wireless           You are ultimately responsible. Work with cybersecurity
         router                                                experts—externally and those you hire internally—to es-
                                                               tablish sound guidelines, be familiar with those guidelines,
      »» Increase privacy settings on your browser
                                                               implement them yourself, and ensure that your teams know
      »» Use Virtual Private Networks (VPN) to access          what they’re expected to do.
         corporate networks whenever possible
                                                               Don’t be afraid to ask questions. Nobody expects you
      »» For additional security, protect browsing privacy
                                                               to understand cyber as well as you understand finance or
         through encrypted browsers
                                                               operations, but everyone expects you to mitigate risks to
      »» For additional security, protect personal email       the business—and cyber risks are real. Your job depends
         accounts through encrypted email                      on how well you address the real risks of an often-unfamil-
      »»                                                       iar subject.

                                                   8 | v1.0
Sales, Marketing, and Communications
Raising awareness, communicating, generating                    • Develop a communications plan for the inevitable
                                                                  cyber incident
revenue, and interacting with customers
                                                                      »» Participate in internal incident response team
                                                                         planning
What Sales, Marketing, and                                            »» Become familiar with the cyber incident response
Communications Does                                                      plan
                                                                      »» Participate in “table-top exercises” and other
If you are interacting with customers, clients, donors or
                                                                         planning efforts in anticipation of cyber incidents
citizens, this applies to you. Sales, Marketing, and Com-
munications professionals are those who engage prospec-               »» Draft a communication plan consistent with
tive and existing customers to drive awareness of products               regulatory requirements, legal considerations,
                                                                         industry best practices, and commitments made
and services, stimulate interest, and generate revenue
                                                                         to external stakeholders
through sales or other means. You may also be involved
in public- and media-facing communications. You are             • Protect shared files
the messengers of the organization, carrying news of the              »» Use encryption, passwords, and other methods
good things you provide to those who need to know, and                   to secure files when you transfer them to/from
responding to current events. This includes the crucial                  customers and partners
work of converting business ideas into real business            • Protect access to your Customer Relationship
deals. Along with the people who deliver the products or          Management (CRM) platform by applying best prac-
services, you are often the most visible, outward-facing          tices, such as:
people in your organization.                                          »» Strong passphrases
You matter to the organization, because without you,                  »» Unique passphrases for each critical account
ideas, products and services sit idle—you make the orga-
                                                                      »» Multi-factor authentication
nization a vibrant part of the world around it.
                                                                      »» Restricting levels of access by need

The Role of Sales, Marketing, and                                     »» Removing employees or vendors when they are
                                                                         no longer involved
Communications in Cybersecurity                                 • Protect customer information in quotes, purchase
is All About:                                                     orders, invoices, payments, and presentations
 1. Protecting the company brand, reputation and the                  »» Share only necessary information
    trust of citizens, customers, and partners                        »» Ensure the information is destroyed in com-
 2. Preventing/limiting information loss as you interact                 pliance with the organization’s data retention
    with the outside world                                               policies or applicable regulations
 3. Reducing risks to the enterprise network presented by        • Bring customers’ cyber concerns back into the orga-
    remote work, telecommuting, and travel                           nization.

What Sales, Marketing, and Communications
professionals should do:                                         Your title includes words like:
 • Communicate the importance of cybersecurity matters           Sales, Accounts, Client, Revenue, Business Development,
   to your stakeholders                                          Donor Relations, Advertising, Social Media, Marketing,
                                                                 Demand Generation, Communications, Media Relations,
      »» Access reputable sources to develop a well-rounded
                                                                 Analyst Relations, Public Affairs, Community, Stakeholder,
         understanding of how information and systems
                                                                 Engagement, Relationship Manager
         fit into the ecosystem of the people you interact
         with—this includes consultants, industry groups,        Information and systems you
         cybersecurity service providers and educators           own, manage, or use:
      »» Inventory the types of information entrusted to
         the care of your organization, and consider the         • Customer data		        •Public announcements
         potential impact of data compromise for your            • Partner data		         •Public-facing websites
         customers and partners                                  • Contracts		            •Social media accounts
                                                                 • Financial data		       •Press releases
      »» Understand the potential impact of a cyber in-          • Customer support portals
         cident to your organization, including customer         • Customer Relationship Management (CRM) systems
         trust and competitive advantage

                                                              9 | v1.0
• Be aware of the implications of conducting business
    in foreign jurisdictions with different regulations
    such as the European Union’s General Data Protec-
    tion Regulation (GDPR)
What we all should do:
• Ensure that all operating systems and applications are
  at their most current and secure version by enabling
  automatic updates from the vendor
• When working from home, secure your home network
  by applying best practices (see NIST SP 800-46 Rev. 2),
  such as:
      »» Change your wireless router password, SSID, and
         limit ability of others to find it
      »» Maximize encryption levels on your wireless
         router
      »» Increase privacy settings on your browser
      »» Use Virtual Private Networks (VPN) to access
         corporate networks whenever possible
      »» For additional security, protect browsing privacy
         through encrypted browsers
      »» For additional security, protect personal email
         accounts through encrypted email
• When traveling, secure your connections to the enter-
  prise
      »» Do not enter sensitive information on public
         computers, such as in hotel lobbies, libraries and
         internet cafés
      »» Use VPN access to corporate networks whenever
         possible
      »» Do not use public Wi-Fi without VPN to trans-
         mit sensitive information
      »» Use a dedicated wireless hotspot for internet
         access
      »» If a hotspot is not available, consider tethering to
         a corporate or business-issued cell phone
      »» Consider using disposable phones when travel-
         ing in regions with questionable data security or
         excessive surveillance
      »» Physically protect your computer from theft and
         unauthorized access                                     A note to leaders
• Use social media wisely
                                                                 Implementing cybersecurity best practices is hard to do
      »» Apply strong privacy settings                           with external-facing employees, particularly if they are out
      »» Don’t share personal information on business            in the field most of the time. The most effective aspect of
         accounts                                                leadership is to lead by example: know these guidelines,
                                                                 implement them yourself, and ensure that your teams
      »» Don’t share business information on personal            understand what they’re expected to do.
         accounts
                                                                 Demand cyber-secure resources. If your organization
                                                                 does not provide secure connections, such as multi-factor
                                                                 authentication, VPN, and/or mobile hotspots, demand it!
                                                                 Your job, and the organization’s reputation, depends on
                                                                 maintaining the trust of citizens, customers, and partners.

                                                     10 | v1.0
Facilities, Physical Systems, and Operations
Designing and delivering products and services,                         »» Engage trusted third parties to develop an under-
                                                                           standing of cyber risks in the physical environ-
managing operations, and maintaining the                                   ment
physical environment                                                    »» Perform a comprehensive assessment of the phys-
                                                                           ical environment to identify vulnerabilities and
                                                                           weaknesses
What Facilities, Physical
                                                                 •   Ensure appropriate physical security controls are im-
Systems, and Operations Does                                         plemented at facilities
If you are designing and delivering the organization’s           •   Develop a comprehensive plan to improve the
products and services to your customers, or are part of              security of control systems
the operations to support delivery, or are managing and                 »» Leverage cybersecurity best practice frameworks,
maintaining the physical environment, this section ap-                     maintained by authoritative entities such as
plies to you. Since the types of products and services vary                National Institute of Standards and Technology
greatly, Facilities, Physical Systems, and Operations covers               (NIST), Center for Internet Security (CIS), Inter-
a diverse range of roles from site management to product                   national Organization for Standardization (ISO),
engineer to operations analyst to distribution manager,                    and ISA99
and beyond. You deliver the organization’s value to the          •   Incorporate cybersecurity measures into the safety
world, fulfilling its primary purpose. Your role directly            program
impacts citizens, customers, and partners who depend on                 »» Ensure employee training includes awareness of
your organization’s products and services.                                 cyber risks in the physical environment
You matter to the organization, because successful devel-               »» Leverage the safety program as another means to
opment and delivery of its products and services de-                       foster a cyber-secure culture
pends on you. The organization would cease to function
                                                                        »» Partner with IT to develop a system for guests
without the capabilities you provide, and the primary                      who access the physical environment: limiting di-
purpose of the organization would go unfulfilled. Your                     rect access, providing a restricted Wi-Fi network,
performance is also crucial to maintaining a competitive                   etc.
advantage—what makes your organization unique and
                                                                 •   Protect intellectual property
respected—in a crowded, noisy, and busy world. Fur-
thermore, the technology systems you operate, including                 »» Use encryption, passwords, and other methods
those that manage physical processes (Operational Tech-                    to secure files when you transfer them to/from
nology (OT), rather than Information Technology (IT)),                     customers and partners
introduce potential risks to life and limb, making your                 »» Share only necessary information
security readiness paramount.                                           »» Ensure sensitive information is destroyed in
                                                                           compliance with the organization’s data retention
The Role of Facilities, Physical                                           policies or external regulations

Systems, and Operations in
Cybersecurity is All About:                                          Your title includes words like:
 1. Protecting the uniqueness of the products and ser-               Operations, Delivery, Consultant, Services, Engineering,
    vices that your organization delivers                            Product Development, Process Control, Workplace, Plant,
                                                                     Facilities, Fabrication, Office, Maintenance, Logistics, Sup-
 2. Securing physical systems from compromise due to                 ply Chain, Real Estate, Design, Manufacturing, Safety
    all hazards, including physical and cyber risks
                                                                     Information and systems you
 3. Integrating cybersecurity with physical safety and               own, manage, or use:
    security
                                                                     • Intellectual property
What Facilities, Physical Systems, and Operations                    • Plans, diagrams and schematics
professionals should do:                                             • Physical control systems
 • Identify cyber risks to the resilience of physical sys-           • Supervisory Control and Data Acquisition (SCADA)
   tems, including control systems                                     systems
                                                                     • Building management systems (BMS)
      »» Engage IT and OT stakeholders                               • Physical security systems

                                                               11 | v1.0
»» Prevent remote access to systems unless absolutely          »» Don’t share personal information on business
         necessary                                                      accounts
• Consider security risks and mitigations in the supply              »» Don’t share business information on personal
  chain                                                                 accounts
      »» Ensure security controls are embedded within
         products where necessary
      »» Ensure suppliers adhere to security best practices
• Protect access to your information repositories by
  applying best practices, such as:
      »» Strong passphrases
      »» Unique passphrases for each critical account
      »» Multi-factor authentication
What we all should do:
• Ensure that all operating systems and applications are
  at their most current and secure version by enabling
  automatic updates from the vendor
• When working from home, secure your home network
  by applying best practices (see NIST SP 800-46 Rev. 2),
  such as:
      »» Change your wireless router password, SSID, and
         limit ability of others to find it
      »» Maximize encryption levels on your wireless
         router
      »» Increase privacy settings on your browser
      »» Use Virtual Private Networks (VPN) to access
         corporate networks whenever possible
      »» For additional security, protect browsing privacy
         through encrypted browsers
      »» For additional security, protect personal email
         accounts through encrypted email
• When traveling, secure your connections to the enter-
  prise
      »» Do not enter sensitive information on public
         computers, such as in hotel lobbies, libraries and
         internet cafés
      »» Use VPN access to corporate networks whenever
         possible
      »» Do not use public Wi-Fi without VPN to trans-           A note to leaders
         mit sensitive information
      »» Use a dedicated wireless hotspot for internet           Cultural barriers are as big as any other factor when it
         access                                                  comes to cybersecurity in industrial environments and
                                                                 physical systems. It will require persistence, edu­cation,
      »» If a hotspot is not available, consider tethering to    and leadership by example to build bridges between oper-
         a corporate or business-issued cell phone               ational technology and information technology profession-
      »» Consider using disposable phones when travel-           als, as well as between cybersecurity and industrial safety
         ing in regions with questionable data security or       advocates.
         excessive surveillance
                                                                 Address risks holistically, across all domains. Insist
      »» Physically protect your computer from theft and         that your employees do the same. Just as safety culture is
         unauthorized access                                     driven by good leadership, sound performance manage-
• Use social media wisely                                        ment, and effective training, so is cybersecurity culture in
      »» Apply strong privacy settings                           operational environments.

                                                     12 | v1.0
Finance and Administration
Providing planning, forecasting, accounting,                      The Role of Finance and
transactional and administrative support to all                   Administration in Cybersecurity is
functions within the organization                                 All About:
                                                                   1. Integrating cyber risks into the enterprise risk man-
What Finance and                                                      agement process
Administration Does                                                2. Resourcing cybersecurity initiatives consistent with
                                                                      security strategy, and balanced with other IT invest-
If you are involved in managing the organization’s finances,          ments
from planning and budgeting to accounting and processing
                                                                   3. Maintaining the confidentiality and integrity of
transactions, this section applies to you. You are responsible
                                                                      sensitive financial information to ensure security and
for ensuring that each part of the organization has the abili-        compliance with applicable policies
ty to pay for goods and services, operate within a budget,
track revenues and expenditures, and conduct business             What Finance and Administration professionals should do:
with external entities—from customers to suppliers. You           • Ensure that cyber risks are integrated into the enter-
may also provide administrative support to the Planning             prise risk management process
and Governance function or manage office operations.
                                                                       »» Identify cyber-related risks to the enterprise early
While this function includes all persons with a full-time
                                                                          in the risk management process, not as a separate
role in these areas, it also applies to all executives, manag-            activity or late addition
ers, and associates who handle financial and administrative
matters; in other words, just about everyone.                          »» Understand the many different business effects of
                                                                          cyber threats, which range from business disrup-
In many cases, the Finance and Administration function                    tion and loss of credibility to legal liability and
includes enterprise risk management, with associated                      physical damage
processes and personnel reporting into a Chief Financial          • Provide sufficient funding to enable the success of the
Officer (CFO) or similar role. Internal audit and compli-           organization’s cybersecurity strategy
ance functions may also be included.
                                                                       »» Reference the organization’s security strategy and
You matter to the organization because nothing can                        external best practice frameworks to help priori-
happen without the ability to maintain financial health,                  tize investments
perform essential transactions, manage business risks and              »» Work with cybersecurity leaders to understand
support the Planning and Governance function.                             how their resource requests align with strategy
                                                                          (which, in turn, should align with enterprise risk
                                                                          management); differentiate between the must-
  Your title includes words like…                                         haves and nice-to-haves
  Finance, Financial, Comptroller, Accountant, Budget, Risk,           »» Develop a complete view of security-related
  Compliance, Contracting, Purchasing, Procurement, Buy-                  spending, which is often spread across multiple
  er, Acquisitions, Vendor Management, Auditor, Examiner,                 functional areas and budget allocations
  Loan, Trader, Underwriter                                       • Collaborate with other business functions on a plan
                                                                    for emergency spending
  Information and systems you
  own, manage, or use                                                  »» In the event of a cyber incident, incident re-
                                                                          sponse plans should also incorporate how to
  • Financial performance records                                         purchase needed equipment or services
  • Budgets
                                                                       »» Vendors and contractors should already be vetted
  • Financial assessments and audit reports
                                                                          and in place if such an incident should occur
  • Tax filings (e.g. IRS forms)
  • Public filings (e.g. SEC forms)                                    »» Contingency plans should be made for loss of
  • Planning tools and platforms                                          financial systems to ensure continuity with mini-
  • Enterprise risk management tools and platforms                        mal disruption
  • Risk assessments and audit reports                                 »» Consider purchasing cyber risk insurance to off-
  • Compensation and benefits information                                 set the financial impact of security incidents
  • Accounts payable systems
  • Accounts receivable systems
                                                                       »» Ensure that the emergency plan includes com-
  • Contracts
                                                                          pensating services for affected parties, such as
                                                                          credit monitoring services

                                                                 13 | v1.0
• Work with Legal and Compliance, and Information                      limit ability of others to find it
  Technology, to ensure contracts with third parties                »» Maximize encryption levels on your wireless
  include clauses for effective oversight of supplier                  router
  cybersecurity, notification of incidents, and adherence
  to relevant industry and government policies and regu-            »» Increase privacy settings on your browser
  lations                                                           »» Use Virtual Private Networks (VPN) to access
• Define the appropriate balance of resource allocation                corporate networks whenever possible
  between run-the-business or improve-the-business and              »» For additional security, protect browsing privacy
  secure-the-business investments                                      through encrypted browsers
      »» While the former can demonstrate a closer align-           »» For additional security, protect personal email
         ment to organization goals and performance, a                 accounts through encrypted email
         rush to implement them often introduces new
                                                               • When traveling, secure your connections to the enter-
         risks
                                                                 prise
      »» If done properly, improvements in IT operations
                                                                    »» Do not enter sensitive information on public
         can also improve security and compliance, since
                                                                       computers, such as in hotel lobbies, libraries and
         many foundational controls for security (such
                                                                       internet cafés
         as asset profiling, vulnerability management,
         configuration and patch management and access              »» Use VPN access to corporate networks whenever
         management) are essential to a well-run IT envi-              possible
         ronment                                                    »» Do not use public Wi-Fi without VPN to trans-
• Protect the organization’s financial viability and                   mit sensitive information
  reputation by ensuring compliance with financial                  »» Use a dedicated wireless hotspot for internet
  laws, regulations, rules, standards, and policies (both              access
  external and internal)
                                                                    »» If a hotspot is not available, consider tethering to
      »» Understand the regulatory requirements as-                    a corporate or business-issued cell phone
         sociated with financial information, such as
         Sarbanes-Oxley (SOX), Gramm-Leach-Bliley                   »» Consider using disposable phones when travel-
         Act (GLBA) and Payment Card Industry Data                     ing in regions with questionable data security or
         Security Standards (PCI DSS)                                  excessive surveillance
      »» Support the cybersecurity team’s efforts to secure         »» Physically protect your computer from theft and
         systems which are impacted by these require-                  unauthorized access
         ments                                                 • Use social media wisely
• Protect sensitive strategic, financial, legal, and risk           »» Apply strong privacy settings
  information                                                       »» Don’t share personal information on business
      »» Share only necessary information                              accounts
      »» Ensure the information is destroyed in com-                »» Don’t share business information on personal
         pliance with the organization’s data retention                accounts
         policies or external regulations
      »» Use encryption, passwords and other methods to
         secure files when you transfer them to others
• Protect access to any online file sharing or decision
  support platform by applying best practices, such as:
                                                                A note to leaders
      »» Strong passphrases
      »» Unique passphrases for each critical account           As Finance and Administration leaders, you are often the
                                                                default arbiter for resource demands among the other
      »» Multi-factor authentication                            business functions. At the same time, there are many
What we all should do:                                          decisions that must be influenced or made by you in
 • Ensure that all operating systems and applications are       organizational planning, enterprise risk management, and
   at their most current and secure version by enabling         resource allocation in which you are not the subject matter
   automatic updates from the vendor                            expert—but the decisions must be made.

 • When working from home, secure your home network             Get smart about cybersecurity and enterprise risk. Your
   by applying best practices (see NIST SP 800-46 Rev. 2),      job, and the financial health of the organization, depends
   such as:                                                     on your ability to make reasonable recommendations and
       »» Change your wireless router password, SSID, and       decisions where there are many trade-offs.

                                                   14 | v1.0
Human Resources
Planning, hiring, and supporting the devel-                                   cybersecurity-specific roles which can perform
                                                                              cyber­security functions
opment, retention, and compensation of the
                                                                           »» Apply standard lexicon to internal planning con-
organization’s workforce                                                      versations, to ensure a common understanding
                                                                              across business functions
What Human Resources Does                                          •   Ensure cybersecurity knowledge, skills, and abilities
                                                                       are incorporated into employee training and develop-
If you are responsible for the management and optimiza-                ment programs
tion of the organization’s human resources—from entry-lev-
                                                                   •   Mitigate risks introduced by new hires by performing
el staff to senior executives—as well as external stakeholders
                                                                       background checks
(job candidates to recruiters, consultants, human resources
associations, and benefits providers), this applies to you.        •   Require and track participation in cybersecurity train-
You direct human resource strategy in alignment with the               ing and awareness programs for all employees across
                                                                       the enterprise
organization’s strategy. Your role includes human resources
policies and management, talent acquisition and develop-           •   Leverage human resources best practices to support
ment, workforce and succession planning, employee rela-                retention of critical cybersecurity roles
tions and engagement, culture and diversity, performance           •   Be vigilant to ensure selection of vendors that can
management, and compensation and benefits. You may                     effectively maintain the confidentiality of employee
also be involved in maintaining records in human resources             personal information, which frequently includes pro-
administration portals and talent acquisition tools.                   tected health information
You matter to the organization, because without your               •   Protect access to your human resource management
expertise and efforts to acquire, cultivate, and retain the            platform by applying best practices, such as:
organization’s most valuable asset, its people, the orga-                  »» Strong passphrases
nization would not possess the knowledge, skills, and                      »» Unique passphrases for each critical account
abilities necessary to succeed. Because of you, best prac-
                                                                           »» Multi-factor authentication
tices for human resource management can be applied in a
consistent manner.                                                 •   Protect sensitive information in employee recruiting,
                                                                       performance, compensation, and benefits:
                                                                           »» Share only necessary information
The Role of Human Resources in
                                                                           »» Ensure the information is destroyed in com-
Cybersecurity is All About:                                                   pliance with the organization’s data retention
 1. Implementing best practices in organizational change                      policies or external regulations
    management, employee training, and performance                         »» Use encryption, passwords, and other methods
    management to enable a cyber-secure culture                               to secure files when you transfer them internally,
 2. Ensuring that critical cybersecurity roles are filled,                    or externally with stakeholders such as recruiters,
    consistent with the NICE Cybersecurity Workforce
    Framework, and that employees remain current on
    necessary knowledge, skills and abilities                          Your title includes words like:
                                                                       Human Resources, Human Capital, People, Talent,
 3. Safeguarding sensitive employee information
                                                                       Workforce, Recruitment, Acquisition, Labor, Organizational
 4. Spearheading efforts to mitigate the risks of insider              Design, Training, Benefits, Compensation, Performance
    threat                                                             Management

What Human Resources professionals should do:                          Information and systems you
                                                                       own, manage, or use:
• Leverage NIST Special Publication 800-181, Na-
  tional Initiative for Cybersecurity Education (NICE)                 • Employee data
  Cybersecurity Workforce Framework to deploy human                    • Human resource information systems
  resources to the proper cybersecurity roles                          • Recruitment and onboarding systems (applicant tracking
     »» Reference this framework for workforce plan-                     systems)
        ning, competency development, talent acquisi-                  • Performance management systems
        tion, and retention                                            • Succession planning models
                                                                       • Benefits administration systems
     »» Reference this framework to identify non-

                                                                 15 | v1.0
potential hires, etc.
• Ensure the accounts of terminated employees are
  closed promptly
      »» Immediately notify IT of pending or actual
         terminations
      »» Update directories with new status, to ensure cas-
         cading of permissions changes across platforms
         and applications
      »» Update HR records accordingly
What we all should do:
• Ensure that all operating systems and applications are
  at their most current and secure version by enabling
  automatic updates from the vendor
• When working from home, secure your home network
  by applying best practices (see NIST SP 800-46 Rev. 2),
  such as:
      »» Change your wireless router password, SSID, and
         limit ability of others to find it
      »» Maximize encryption levels on your wireless
         router
      »» Increase privacy settings on your browser
      »» Use Virtual Private Networks (VPN) to access
         corporate networks whenever possible
      »» For additional security, protect browsing privacy
         through encrypted browsers
      »» For additional security, protect personal email
         accounts through encrypted email
• When traveling, secure your connections to the enter-
  prise
      »» Do not enter sensitive information on public
         computers, such as in hotel lobbies, libraries and
         internet cafés
      »» Use VPN access to corporate networks whenever
         possible
      »» Do not use public Wi-Fi without VPN to trans-
         mit sensitive information
      »» Use a dedicated wireless hotspot for internet
         access
      »» If a hotspot is not available, consider tethering to
         a corporate or business-issued cell phone               A note to leaders
      »» Consider using disposable phones when travel-           Human resource professionals have always played an
         ing in regions with questionable data security or       important role in addressing business risks, ranging from
         excessive surveillance                                  natural disasters and workplace violence to lawsuits and
      »» Physically protect your computer from theft and         lay-offs. Cyber-related business risks are no different: they
         unauthorized access                                     cannot be effectively addressed without the implementa-
                                                                 tion of best practices in workforce management.
• Use social media wisely
      »» Apply strong privacy settings                           Be proactive in working with other business functions
                                                                 to address cyber-related risks. Early involvement is the
      »» Don’t share personal information on business            key to ensuring that the right people are in the right roles,
         accounts                                                with the right knowledge, skills, and abilities, doing the
      »» Don’t share business information on personal            right things.
         accountsz
                                                     16 | v1.0
Legal and Compliance
Ensuring compliance with laws, regulations and                               ate coverage
standards, mitigating risk, and addressing legal                          »» Establish and enforce information classification
                                                                             and access processes
matters
                                                                          »» Leverage existing best practices for compliance
                                                                             enforcement
What Legal and Compliance Does                                            »» Ensure third-parties adhere to organizational
If you are focused on mitigating or responding to legal                      cybersecurity policies through contractual terms,
risks or compliance matters, this applies to you. You                        such as Service-Level Agreements (SLAs)
do this in large part by ensuring that the organization            •   Actively participate in the enterprise risk management
remains compliant with the numerous laws, regulations,                 process, working with Planning and Governance,
and standards that apply to it. You may also respond to                Finance and Administration, and other business func-
external inquiries, challenges or complaints, as well as               tions to mitigate risks in a holistic manner
internal matters of a sensitive nature.                            •   Implement measures to mitigate risks introduced by
                                                                       partners and sup­pliers
You are close advisors to senior leaders, helping to set
policies and priorities in a manner that balances the orga-        •   Actively support the organization’s incident responders
nization’s primary purpose with the risks to which it may              during a suspected breach, including taking appro-
be exposed. You are highly responsive to legal threats, and            priate steps to preserve legal privilege to the extent
                                                                       possible
may become the focal point of interaction with those out-
side the organization when legal or compliance matters             •   Conduct post-incident law enforcement engagement,
need to be addressed, such as during litigation, court pro-            vendor notifications and public notifications as re-
ceedings, audits, and when law enforcement is involved.                quired
                                                                   •   Protect access to any online file sharing or decision
You matter to the organization, because you ensure that
                                                                       support platform by applying best practices, such as:
it remains in good standing with laws, regulations and
standards, allowing it to focus on its core competencies.                 »» Strong passphrases
Without you, the organization could easily find itself in                 »» Unique passphrases for each critical account
trouble, and subject to criminal, civil and audit liabilities.            »» Multi-factor authentication
                                                                   •   Protect sensitive legal and compliance information
The Role of Legal and Compliance                                          »» Share only necessary information
in Cybersecurity is All About:                                            »» Ensure the information is destroyed in com-
 1. Minimizing liabilities associated with the organiza-                     pliance with the organization’s data retention
    tion’s cybersecurity posture                                             policies or external regulations
 2. Ensuring compliance with cybersecurity laws, regula-
    tions, and standards                                               Your title includes words like:
 3. Addressing the legal implications of incidents when                General Counsel, Corporate Counsel, Inspector General,
    they arise                                                         Internal Audit, Legal, Compliance, Risk, Privacy Officer,
                                                                       Attorney, Investigator, Paralegal, Legal Assistant, Import/
What Legal and Compliance professionals should do:                     Export Compliance
• Understand the legal implications of cybersecurity in
  order to enable sound risk mitigation                                Information and systems you
     »» Engage with credible third parties to learn about              own, manage, or use:
        cybersecurity and law—this includes professional
                                                                       • Articles of incorporation, charters and formation docu-
        associations, industry groups, consultants, and
                                                                         ments
        educators
                                                                       • Contracts and agreements
     »» Remain current on emerging regulations and                     • Compliance reports
        standards                                                      • Audit reports
• Implement an effective compliance program for the                    • Legal briefs
  organization                                                         • Communications with retained law firms
                                                                       • Communications with law enforcement agencies
     »» Assess the organization’s exposure to laws, regula-            • Databases and file storage for Legal and Compliance teams
        tions, and industry standards to ensure appropri-

                                                                 17 | v1.0
You can also read
Next slide ... Cancel