How to Pretend You're in Control: A Guide
The planning process in an organization's view is a method for managing cyber risks within an organization. The purpose of this process is to help organizations identify relevant risks, formulate a defensive response, and implement a risk reduction plan accordingly
The intended audience for this process includes managers and experts in the fields of information security and cyber defense.
The different methods should be used for risk assessment and management, depending on the organization's size, compliance with legal and regulatory requirements, and other parameters, e.g. according to organization categories. Category A organizations are those where the scope of damage caused by a cyber incident does not exceed USD 1.5 million, while Category B organizations are those where the extent of the damage caused by a cyber incident may cost more than USD 1.5 million.
The process for Category A organizations includes a simple and quick process of mapping Defense objectives and answering a limited number of questions, which are tailored to organizations from this category. Usually, the process is carried out through an external party which accompanies the Cyber Defense aspects of the organization
The process for Category B organizations includes a process of Risk Assessment, understanding the required Defense response to the Risk Matrix and Risk Appetite, examining the current situation in the face of industry-accepted Defense recommendations (Gap analysis) and formulating a work plan for the mitigation of risks (Mitigation Plan) or other risk handling measures
The final product after working with it is that the organization will understand the organizational risk map, and what controls are needed to reduce those risks - including the right priorities for implementing the work plan. These controls will form the basis for building the work plan, allocating resources, and preparing the organization accordingly
Key components of the planning process
The key components of the planning process in the organization:
π Demarcation of Activity: This involves understanding the organization's digital assets and where they are stored, which is crucial for identifying what needs to be protected against cyber threats.
π Risk Assessment: This includes identifying relevant risks to the organization, analyzing these risks, and assessing them to understand their potential impact and likelihood.
π Handling the Risk: Organizations must decide on a strategy for dealing with identified risks. This could involve accepting, reducing, transferring, or avoiding the risks.
π Building a Work Plan: Once risks have been identified and a strategy for handling them has been determined, the organization must develop a work plan to address the risks. This plan may include implementing processes, procuring solutions, and training employees.
π Continuous Auditing and Control: The implementation of the work plan should be periodically reviewed to ensure its effectiveness and relevance. This includes checking for new information assets, implemented controls, and required management inputs.
π Involvement of Legal Adviser: The organization's Legal Adviser should be involved early in the planning process to ensure compliance with legal and regulatory requirements and to be integrated into key decision-making processes.
π Decision-making Supported by Evidence: The organization must use independent security circles to cope with various threats and ensure that decision-making is supported by evidence, which will provide a realistic picture of the security situation (Security Posture).
π Minimizing Privacy Invasion: The Defense Doctrine control structure offers the CISO extensive freedom of action to reduce the level of risk to an acceptable value while minimizing the invasion of privacy.