Strategic Cybersecurity Risk Management Plan
1 Mission statement:
Design and implement a cybersecurity risk management program for the organization for
adoption in the Company’s strategic plan.
2 Vision statement:
Cultivate a security-focused mindset into all our business assets and operations.
3 Introduction
From the earlier days, being in an environment that guaranteed the security of property and
human was vital. This concept was shielded by the existence of warriors who were tasked
with this critical responsibility. Their training goes without saying that they all had to
internalize the idea of securing the community or clan assets at all cost. However, with time,
assets and properties have shifted platforms and environments and have become digital. This
means that there are virtual assets that have become more important to secure, and their risk
and exposure has continued to increase every day. Depending on the value of the stored, Von
Solms, & Van Niekerk, (2013), argued that the digital value of the commodity, risk vary from
asset to asset and from entity to entity. These threats to assets originate from all the side
ranging from competition to malice and curiosity. Mediakind is one of the organizations that
rely on digital platforms in all its operations. This places it at an elevated risk level bearing in
mind the business it is in and the category of value it handles.
Mediakind is an entity that deals with media creation, gathering, processing, delivery, and
storage. This enables the platform to be able to avail customized media to its client anywhere
and anytime. The environment calls for the usage of various platforms that includes cloud
technology, the internet, and numerous hardware platforms that ensure that this is done
Strategic Cybersecurity Risk Management
efficiently. The company has been able to develop a good relationship with its customers.
This is coupled with the numerous global awards and presentations the company has at its
disposal. Therefore, we can say that Mediakind has become a market leader in the media
industry, and this alone puts it to so much risk. On top of this, the company has also partnered
with many other entities to assist them in delivering their media content to the customers.
Fortunately, Mediakind can establish end to end connection anywhere at any time. To ensure
continuity in this rate of innovation and competitiveness, the company requires to understand
that it holds a precious position in the media industry and the global market and economy.
Therefore, ensuring that their infrastructures are perennially secured is a critical point as
technologies advances and threat increases. It will be necessary for Mediakind to assess its
vulnerabilities and ensure intruders will not be able to compromise their territories as this may
be to bringing serious consequences across the board. Luiijf, Besseling & De Graaf,(2013)
argued that, proper cybersecurity risk management plan is mandatory due to existing threats
ratios. This document, therefore, lays bare the strategic cybersecurity risk management plan
for Mediakind for efficient and secure infrastructure. This will also ensure their continued
dominance in the market field.
4 Standard and Regulatory References
# Document Identifier Document Title
1 ISO 27001
Information security management systems —
Requirements (second edition)
2 PCI DSS Pci Dss Documentation Toolkit
5 Definitions
Strategic Cybersecurity Risk Management
According to Öğüt, Raghunathan, & Menon,(2011), cybersecurity risk is the potential of a
given threat to exploit a vulnerability of an entity asset or assets that will cause harm to an
organization.
6 Conventions
Cybersecurity risk and Security risk are here deemed to have the same meaning I context and
application.
7 Responsibilities
In the earlier days of security risk management, small groups of IT staff would be tasked with
the responsibility of ensuring the entire information systems strategy works according to
expectation. However, modern operating environments are changing and demanding the
inclusion of much other personnel. This is in an attempt to come up with comprehensive and
exhaustive information pertaining entities risk position and possible vulnerabilities that can be
exploited and therefore come up with a mitigation plan.
8 The Strategic Cybersecurity Risk Management Team
Person Responsibility
Audit manager To input on various fraud cases that may
have been identified
QA Manager To liaise with employees for the availability
of services and quality as stipulated
System administrator To input on hardware vulnerabilities that
need to be addressed
Security analyst To Compile risks and vulnerabilities and
present a solution for discussion
Security architect To design a solution for identified risk
vulnerabilities
Strategic Cybersecurity Risk Management
Security engineer Implement security solutions to protect
MediaKind
Operations Manager To avail responses and suggestion operating
the systems operating deficiencies and user
concerns
HR manager To coordinate and organize the team during
the meetings
Finance manager Together with the audit manager, they will
give inputs about financial systems
vulnerabilities.
CISO To ensure that the agreed solutions have
been implemented to ensure business
continuity.
Therefore, the above Mediakind personnel will be tasked with the responsibility to steer the
strategic plan and elevate the current security levels to the required standards. This group of
people will also be responsible for making alterations and updates to this document to enable
responses to new threats and change in operating environments.
9 Cyber Risk Management Process
CyberSecurity management is a continuous process and therefore, it can be represented by the
below chart
9.1 Risk Management Flow Chart
Strategic Cybersecurity Risk Management
Source: https://www.google.com
10 Assets Identification
For effective implementation of CyberSecurity plan, Disterer, (2013),advised that it is
essential to identify assets and establish their boundaries. In the case of MediaKind, the
following assets have been identified.
An asset is anything deemed of value to the company or the manufacturer of the asset.
10.1 Hardware and Software Resources
The server Hardware
The server Software
End-user applications
End user nodes
Operations Environment
Server Environment
User Environment
Intranet
Extranet
Web Access
10.2 Additional devices
Smartphone access
Tv access
Transmission channels
10.3 The processes involved in the service
o Media Creation
o Media Storage
Strategic Cybersecurity Risk Management
o Media processing
o Media Transmission
o Internal processes
o Customer service
o Cloud Services
10.4 Information assets
o Multimedia Data
o Configuration data,
o Logs files
10.5 Network Assets
o Wifi, adapters,
o Connectors
o Routers
o Switches
o NIC cards
10.6 Network interfaces and protocols
o HTTP, UDP, TCP
o Network Ports
All these assets are essential to the organization and shall be secured to the maximum possible
level. They form the operating environment and therefore, core to the sustainability of the
entity operations.
10.7 The user groups
o Internal users
o Client users,
o Administrators
Strategic Cybersecurity Risk Management
o Managers
o Customer service personnel
11 Training
Research by Boyce et al. (2011) commended continuous and regular updates of user
knowledge of the current information systems and the risks they are associated with their use.
Due to a varying degree of knowledge and areas of expertise, members will be given a
mandatory training session in selected places. This will ensure that they gather required
experience in cybersecurity and avoid exposing themselves and the company at large.
However, refresher courses and training will be offered for those users who are vital in
implementing the strategy. In so doing, users will be required to take responsibility for their
actions in case of breach due to user negligence. These training will be focusing on a few
attack trends and techniques.
In this case, all administrator in the class of super users will be required to attend a refresher
or advancement course monthly in the field of cybersecurity. Super users will include
Information Systems staff and all managers in MediaKind. This knowledge and expertise are
expended to be shared amongst other staff members due to new threats and discoveries.
12 Constraints
Data will be made available through internet technology as well as dedicated and private
networks. This will be ensured by ensuring network redundancy and backup media in the
cloud facility. Risk IT Framework for Management of IT Related Business Risks. (n.d.),
acknowledged, to ensure maximum security of the assets, users access levels and access rights
will be awarded on least knowledge basis. More clearance will be given on demand. This will
include access to server rooms, both in-house and on the cloud platform. However, the CISO
and the all network security personnel will be granted Administrative rights to be able to
reset/override and revise user access levels. This is to enable detection and immediate
Strategic Cybersecurity Risk Management
correction of animalities during operations. However, we will establish a continuous
relationship with all hardware and software manufacturers to maximize our security with
patches and updates. This will also ensure that we continue to receive documentation on
operating these assets to the optimum capacity.
13 Risk assessment
This document therefore sets the standards for risk identification, analysis and evaluation to
meet the objectives of the process and also to rank priorities on systems and risks.
In case of any security occurrence, a preliminary assessment will be conducted by the security
group committee to review the overall status of the security in the organization. This will also
assist in evaluating immediate response actions before the threat is contained and eliminated.
13.1 Threats
Threats are entities or activities that are likely to cause damage to our assets. In the case of
Mediakind, we have identified the following as our threats:
Criminal organizations (Black hat hackers)- these may compromise resource integrity
and therefore cause loss of an unknown volume.
Inexperienced users- This is a primary consideration, and this is why the organization
will conduct continuous refresher courses to update skills and possibly improve
performance.
Natural events- The cause of these events cannot be controlled, and the remedies will
include backups strategies and redundancy plans. This will ensure services will
continue being offered to our customers without interruptions.
14 Existing Controls
Due to evolving technologies and threats in the past, MediaKind has various security plans in
place. However, modern attack techniques and the level of the business competitiveness has
forced the company to have a proper procedure to be followed in this process. The company
Strategic Cybersecurity Risk Management
has in place firewalls, registered antivirus software, user policies, and usage monitoring tools.
We have also been monitoring our networks and ensured that all our data leaving and coming
to our assets is fully encrypted using asymmetric encryption methods. This has helped
significantly to reduce risk, but a strategic approach has become fundamental.
With effect to this, these methods have been affective, and due to budgets allocations for the
departments in the past, they have played a significant role. But it has been observed that they
are not able to continue serving the company properly. Therefore, it has been recommended
that a more exhaustive process be put in place that will identify assets and assign priorities of
risk and approach techniques.
15 Vulnerabilities
From a past evaluation, the company is vulnerable due to various factors. It has been noted
that many users have not been changing their passwords as required, and some have been
recording them on physical objects. It’s also worth noting that email scanners have not been
working most of the time and this has placed the company assets at considerable risk.
With assessment conducted and reported, servers have not been updated regularly.
On the corporate angle, we have outgrown many of our competitors and attained a global
image. This has increased risk and made us vulnerable to attacks from all aspects. Our
services also are superb, and many would want to steal our technologies to further their
business ambitions. We have also noted that internal threats make us more vulnerable to
attacks and therefore, we call our people to report any issue that may raise concern on system
usage.
16 Consequences
With this in mind, we wish to regret the unexpected case where we do not implement this
strategy. This because the damage may be disastrous and irreversible. In such a case, we will
lose our credibility to do business with both our strategic partners and our customers.
Strategic Cybersecurity Risk Management
Therefore, we call for proactivity in all corners of the organization to ensure the sustainability
of the business. A study conducted by Liu, Xiao, Li, Liang, & Chen, (2012) advised that all
information pertaining our Assets, vulnerabilities, threats, current controls, and consequences
should always be recorded in the security risk assessment report and we wish to conform to
this great idea.
17 Analysis
In this process, all risks will be ranked according to their likelihood of taking advantage of a
vulnerability and the impact they can cause in the entity Bhagat, (2012). This will also take
note of the data collected in the assessment stages. The respective departmental head will be
required to provide an analysis of possible impact in the departments to be able to prioritize
and take measures accordingly. The results of this stage must be recorded in the risk
assessment report.
18 Evaluation
The RPN (Risk Priority Number) will be extracted from the acceptance criteria, as stated in
section 18 below. This will also include legal implication and regulatory requirements in case
of a security occurrence. The results of the stage will be recorded, as well.
19 Risk treatment
According to Martin, & Kung, (2018), risk treatment is the process that is used contain a risk.
Due to the category of business that MediaKind is in, all risks will be treated in different
ways, which will include one or more of the following:
1. Modification or control- This will employ the following order of approach
2. Retention,
3. Avoidance,
4. Sharing.
Strategic Cybersecurity Risk Management
Vulnerabilities and impacts on our end customers due to risk treatment will be a primary
consideration.
20 Risk acceptance
This will be conducted using raking criteria in section 21 and consider the risk treatment plan.
It will mean that risk will be accepted if there is justification to override the acceptance
criteria.
21 Risk communication
The assessment report will be communicated to all stakeholders inside and outside the
organization to update and inform on progress and expectations.
22 Post-production monitoring and review
To keep track of our systems security status, a Risk Management File (RMF) will be reviewed
and updated when:
Services are updated,
Resources are changed (Assets, vulnerabilities, and threats)
Post marketing information triggers- This will be conducted quarterly, and reviews
will always be documented in RMF. This may involve reevaluation of the ranking
system and updates where necessary.
23 Ranking system for security risk analysis
The section gives the guidelines on allocation of priority levels based on the characteristics
Probability of occurrence,
Severity of impacts
Additional criteria
23.1 Probability of occurrence
Level Description Probability of Occurrence(P)
6 Occurs weekly High probability
Strategic Cybersecurity Risk Management
5 Occurs Monthly High probability
4 Could occur weekly Moderate probability
3 Could occur once a year but not
known
Low probability
2 Has never occurred but likely to
occur once in a device lifetime
low probability
1 Can happen but only in extreme
circumstances
Very low probability
23.2 Severity
Level Description Severity
5 Affects data confidentiality and causes a huge
amount of data loss
Threatens organizational competitive advantage
Catastrophic
4 Significant loss of data integrity.
Threatens the company’s strategic partners.
Critical
3 Causes some loss of data integrity.
Affects end-user customers
Moderate
2 May cause limited disclosure of non-sensitive
data.
Causes budgetary overruns
Minor
1 Causes Non-sensitive data disclosure
No cost implications
Negligible
Strategic Cybersecurity Risk Management
23.3 Risk Priority Number
MediaKind will be using the following formula to calculate RPN.
Risk priority number = probability of Occurrence * Severity
Sample RPN Table
24 Sample table of Risk Priority Using Two Variable
TABLE OF RISK PRIORITY NUMBER
Negligible
1
Minor
2
Moderate
3
Critical
4
Catastrophic
5
6 6
Acceptable
12
Tolerable
18 24 30
Frequent
5
5
Acceptable
10
Tolerable
15
Not-Acceptable
20
Not-Acceptable
25
Not-Acceptable
Probable
4
4
Acceptable
8
Tolerable
12
Not-Acceptable
16
Not-Acceptable
20
Not-acceptable
Occasional
3
3
Acceptable
6
Tolerable
9
Tolerable
12
Not-Acceptable
15
Not-Acceptable
Unlikely
2
2
Acceptable
4
Acceptable
6
Tolerable
8
Tolerable
10
Tolerable
Very
Unlikely
1
1
Acceptable
2
Acceptable
3
Acceptable
4
Acceptable
5
Acceptable
Strategic Cybersecurity Risk Management
25 Communication with the safety risk management team
Continuous communication between the strategic team and the safety risk management team
will be established and guarded Zhou, & Hu, (2008).
When a case of security breach has occurred, the information shall without fail to be reported
the person communication officer.
References
Anwar, A., & Mahmood, A. N. (2014). Cyber security of smart grid infrastructure. arXiv preprint
arXiv:1401.3936.
Boyce, M. W., Duma, K. M., Hettinger, L. J., Malone, T. B., Wilson, D. P., & Lockett-Reynolds, J.
(2011, September). Human performance in cybersecurity: A research agenda. In Proceedings
Strategic Cybersecurity Risk Management
of the Human Factors and Ergonomics Society annual meeting (Vol. 55, No. 1, pp. 1115-
1119). Sage CA: Los Angeles, CA: SAGE Publications.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management.
Collier, Z. A., DiMase, D., Walters, S., Tehranipoor, M. M., Lambert, J. H., & Linkov, I. (2014).
Cybersecurity standards: Managing risk and creating resilience. Computer, 47(9), 70-76.
Hahn, A., & Govindarasu, M. (2011). Cyber attack exposure evaluation framework for the smart
grid. IEEE Transactions on Smart Grid, 2(4), 835-843.
Liu, J., Xiao, Y., Li, S., Liang, W., & Chen, C. P. (2012). Cyber security and privacy issues in smart
grids. IEEE Communications Surveys & Tutorials, 14(4), 981-997.
Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies.
International Journal of Critical Infrastructures 6, 9(1-2), 3-31.
Martin, Y. S., & Kung, A. (2018). Methods and tools for GDPR compliance through privacy and data
protection engineering. In 2018 IEEE European Symposium on Security and Privacy
Workshops (EuroS&PW) (pp. 108-111). IEEE.
Ray, P. D., Harnoor, R., & Hentea, M. (2010, October). Smart power grid security: A unified risk
management approach. In 44th annual 2010 IEEE international Carnahan conference on
security technology (pp. 276-285). IEEE.
Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: Public policy
implications of correlated risk, imperfect ability to prove loss, and observability of
self‐protection. Risk Analysis: An International Journal, 31(3), 497-512.
Risk IT Framework for Management of IT Related Business Risks. (n.d.). Retrieved from
http://www.isaca.org/knowledge-center/risk-it-it-risk-management
Susskind, N. G. (2014). Cybersecurity Compliance and Risk Management Strategies: What
Directors, Officers, and Managers Need to Know. NYUJL & Bus., 11, 573.
Strategic Cybersecurity Risk Management
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers &
security, 38, 97-102.
Zhou, Z., & Hu, C. (2008). Study on the e-government security risk management. International
Journal of Computer Science and Network Security, 8(5), 208-213.