First Duties
As Chief Information Security Officer of a company, the first controls I would implement in the company would be measures to increase the company such as implementing two factor authentication, Personal Identity Verification (PIV) Cards or Common Access Cards (CAC) with a pin number to access the technology associated with company. I would also require certain credentials such security clearances for certain level job positions depending on the need for the information they would be accessing. All employees would be required to complete annual privacy training with testing and attestation of completion so that we know that they are understanding the education that the company is providing. I would require separation of duties and specific assignment of roles for technological purposes so that we know that we are only granting need to know privileges to the appropriate employees.
Educating the Company
Knowing that hackers are waiting to exploit the vulnerabilities of the company that allows them the opportunity, it is important to educate the company on the types of attacks we could be receptive to such as viruses, denial of service, and password attacks, etc. It’s important to educate them on the symptoms of the attacks, what’s important to look for. The fact that there are hackers in the world that are waiting to exploit any vulnerability and though all may not wish the company harm, it is all of the company’s responsibility to protect the integrity of the company’s data and customer’s personal information.
Protection and Plans
I would implement certain physical controls such as credential controlled access to server rooms. I believe it would be beneficial to have supervisory control and data acquisition equipment that allows us to monitor, control, and analyze the behavior of our systems so that we can detect when there is an anomaly with the systems earlier versus rather when possible. I would invest in newer, more modern firewalls and antivirus protection for the network. I would implement consistent penetration testing to discover all vulnerabilities the company may be susceptible to as soon as we possibly can. This will help us to develop a Security Risk Assessment and a Risk Management plan. It will be important to develop a plan for monitoring and revoking access when requested by management, when employees transfer to other positions, transition out of the company, or are terminated. Due to their being a high risk for insider threat there will be a need for an Insider Threat Program and education throughout the company in reference to it, especially for managers. Hiring an adequate cybersecurity team will be vital, especially in creating and implementing Business Impact Analysis, Cyber Incident Response Plan, and Business Continuity Plan.
Conclusion
Regarding funds these are the basics of what most customers should be doing anyway. With limited funds the company wouldn’t be spending too much, however the benefits of implementing education, the physical and network controls, and SCADA system, and implementing a couple of needed risk plans would far outweigh the risks. Adding processes and procedures for the employees to follow will save more money in the future.