The Federal Information Security Modernization Act of 2014 (FISMA) defines incident as an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Notification Requirement

Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the NCCIC/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting agency not to impact confidentiality, integrity or availability may be reported voluntarily to US-CERT; however, they may not be included in the FISMA Annual Report to Congress.

In 1986, theUnited States Congress enacted the Computer Fraud and Abuse Act (CFAA), as an amendment to18 U.S.C. 1030. The CFAA has since been amended multiple times to address advancements in technologyand cybercrime. The CFAA criminalizes knowingly accessing a computer without authorization, obtainingprotected information, with the intent to defraud, intentionally causing unauthorized damage to a protectedcomputer, knowingly and with intent to defraud trafficking in passwords or access information, and extortioninvolving computers.

Managing cyber risks requires building a Culture of Cyber Readiness. The Culture of Cyber Readiness has six Essential Elements:

Yourself

You, as leader of your organization are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to drive cybersecurity strategy, investment and culture.

Actions For Leaders

• Lead investment in basic cybersecurity.
• Determine how much of your organization's operations are dependent on IT.
• Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
• Approach cyber as a business risk.

Action to Take in Consultation with IT

• Lead development of cybersecurity policies.

To learn more about how you can drive cybersecurity strategy, investment and culture, explore the Cyber Essentials Toolkit on this element.

Your Staff

As users of your organization’s digital equipment and systems, your staff are essential elements of your organization’s Culture of Cyber Readiness. Your task for this element is to develop cybersecurity awareness and vigilance.

Actions For Leaders

• Develop a culture of awareness to encourage employees to make good choices online.
• Learn about risks like phishing and business email compromise.
• Maintain awareness of current events related to cybersecurity, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.

Actions to Take in Consultation with IT

• Leverage basic cybersecurity training to improve exposure to cybersecurity concepts, terminology and activities associated with implementing cybersecurity best practices.
• Identify available training resources through professional associations, academic institutions, private sector and government sources.

Your Systems

As the infrastructure that makes your organization operational, your systems are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications.

Action For Leaders

• Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.

Actions to Take in Consultation with IT

• Leverage automatic updates for all operating systems and third-party software.
• Implement security configurations for all hardware and software assets.
• Remove unsupported or unauthorized hardware and software from systems.
• Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.
• Create application integrity and whitelisting policies so that only approved software is allowed to load and operate on their systems.

Your Surroundings

As your organization’s digital workplace, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it.

Actions to Take in Consultation with IT

• Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).
• Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.
• Grant access and admin permissions based on need-to-know and least privilege.
• Leverage unique passwords for all user accounts.
• Develop IT policies and procedures addressing changes in user status (transfers, termination, etc.).

Your Data

Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations.

Action For Leaders

• Learn how your data is protected.

Actions to Take in Consultation with IT

• Learn what information resides on your network. Maintain inventories of critical or sensitive information.
• Learn what is happening on your network. manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.
• Domain name system protection.
• Leverage malware protection capabilities.
• Establish regular automated backups and redundancies of key systems.
• Leverage protections for backups, including physical security, encryption and offline copies.

Your Crisis Response

As your strategy for responding to and recovering from compromise, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations.

Actions For Leaders

• Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
• Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.
• Learn who to call for help (outside partners, vendors, government/industry responders, technical advisors and law enforcement).
• Lead development of an internal reporting structure to detect, communicate and contain attacks.

Action to Take in Consultation with IT

• Leverage in-house containment measures to limit the impact of cyber incidents when they occur.

Booting Up: Things to Do First

Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks.

Backup Data

Employ a backup solution that automatically and continuously backs up critical data and system configurations.

Multi-Factor Authentication

Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.

Patch &Update Management

Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware (replace network hardware like routers 3 years after purchase and computing devices 5 years after purchase). Test and deploy patches quickly.

Recommendations

Questions Every CEO Should Ask About Cyber Risks

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

• How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
• What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
• How can my business create long-term resiliency to minimize our cybersecurity risks?
• What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
• What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

• What is the threshold for notifying executive leadership about cybersecurity threats?
• What is the current level of cybersecurity risk for our company?
• What is the possible business impact to our company from our current level of cybersecurity risk?
• What is our plan to address identified risks?
• What cybersecurity training is available for our workforce?
• What measures do we employ to mitigate insider threats?
• How does our cybersecurity program apply industry standards and best practices?
• Are our cybersecurity program metrics measureable and meaningful?
• How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
• How often do we exercise our plans?
• Do our plans incorporate the whole company or are they limited to information technology (IT)?
• How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

Recommended Organizational Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

• Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
  • CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
    • Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.
• Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
  • Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.
  • Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to put out fires.
  • Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
• Evaluate and manage organization-specific cybersecurity risks.
  • Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
  • Ask the questions that are necessary to understand your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.
  • Focus cyber enterprise risk discussions on what-if situations and resist the it can't happen here patterns of thinking.
  • Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.
• Ensure cybersecurity risk metrics are meaningful and measurable.
  • An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
  • An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts an SOC receives for this number to be consistently relevant.
• Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
  • It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating.
  • Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
• Retain a quality workforce.
  • Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
  • New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.
  • Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks.
  • Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) is a useful resource for workforce planning.
• Maintain situational awareness of cybersecurity threats.
  • Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes). If possible, create a summary on the cybersecurity threats your organization has recently faced (e.g., phishing emails, malware, ransomware) for dissemination to personnel outside of your IT department to help reinforce their role in reducing cybersecurity risk.
  • Explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, the Homeland Information Sharing Network, or other government and intelligence programs.

Refer to the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials page for recommendations on managing cybersecurity risks for small businesses.

Cybersecurity evolution should eventually lead to a zero-trust environment where devices, services and people will be required to continually request access to critical systems and data. Unless otherwise stated, all access is denied by default in a zero trust environment.

Fast Cybersecurity Policies for broke, time-starved small businesses. If you are a broke small business and do not have any money and little time to spend on making cybersecurity policies, use the US Federal Communications Commission (FCC) CyberPlanner to make policies fast. The FCC policies are somewhat out of date but it will be better to have these policies fast than no policies at all.