International Journal of Advanced Network, Monitoring and Controls Volume 04, No.

03, 2019

Cyber Security Cookbook for Practitioners

Devesh Mishra
Technologist – Mount Sinai Health System, NY
New Jersey, USA
e-mail: [email protected]

Abstract—The scope of this paper is to provide the essential  What resources are required?
framework to C-suite/Management executives in the case of  Risk Management
cyber events. This paper will further analyze the various threat
vectors from the operational perspective and provide the  Measuring progress and success
remediation plan during the case of cyber-attacks. The basic security principles of Least Privilege,
Keywords-Component; (CIO; CISO; CFO; Risk
Defense in Depth, and Separation of Duties are
Management) observed. These concepts will drive many of the
security design decisions, just like Confidentiality,
I. GENERAL OVERVIEW Integrity, Availability, and Accountability will inform
the requirements for controls to mitigate specific risks.
Organizations prepare for various types of (Wheeler, 2011, Page 19).
emergencies by developing a disaster recovery plan to
cover flood, fire, earthquakes, and other unforeseen II. ENTERPRISE RISK MANAGEMENT
events that may disrupt their operations. It is important
to protect the organization’s assets against cyber threats Risk Management is defined as “the function of
and having a robust playbook as well. According to determining the proper steps to manage risk, whether it
IBM’s CEO, “Cyber Crime Is the Greatest Threat to be to accept, mitigate, transfer, or avoid the risk”.
Every Company in the World”1. Darkreading.com (Wheeler, 2011, Page 149):
states, “Global cost of cybercrime predicted to hit $6  Accept: A decision to accept the risk
trillion annually by 2021”2.
 Avoid: Ceasing (or not engaging in) the
Cybersecurity should be an integral part of activity that is presenting the risk altogether
corporate strategy. As Touhill advises, the  Transfer: Shifting responsibility or liability
cybersecurity plan focuses on the following (Touhill & for a risk to another party by contracting
Touhill, 2014, as of Page 97): the corresponding cyber insurance
 Where are we now?  Mitigate: Limit the exposure in some way
 SWOT analysis
 What do we have to work with? A. Risk Management and FAIR
 Information Risks are identified and managed in accordance
 Technology with corporate strategy and the corporation’s risk
 Finances appetite (Wheeler, 2011 Chapter 3 as of Page 43). Risk
 Personnel management incorporates the following:
 Plans  Resource Profiling
 Where do we want to be?  Risk Assessment
 Value  Risk Evaluation
 Risk Management  Documentation
 Effectiveness
 Risk Mitigation
 Competencies
 Validation
 How do we get there?
 Monitoring and Audit
 What will be done?
 Who is responsible for doing it? The Factor Analysis of Information Risk (FAIR)3 is
 How will it be done? used as a model for understanding, analyzing and

DOI: 10.21307/ijanmc-2019-063 88
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

quantifying information risk in financial terms and For resource profiling, all resources are identified
builds a foundation for developing a scientific and the level of sensitivity is defined for each. A
approach to information risk management. detailed threat analysis is performed quarterly to
identify exposure and quantify risk and security
controls are defined and implemented. It classifies the
likelihood and consequences associated with each risk
and how that risk could impact the business (See
Tables 1, 2).

TABLE I. ENTERPRISE RISK MANAGEMENT LIKELIHOOD

Figure 1. Factor analysis of information risk

TABLE II. ENTERPRISE RISK MANAGEMENT CONSEQUENCES

user access privileges. Institutions should maintain an

III. DEFENSE AWARENESS inventory of assets, devices and applications, that a
Part of building a proper structure to mitigate user needs access to, and this is secured with CyberArk,
potential and future risks from cyber security attacks Multi-Factor Authentication is enforced to protect the
involves conducting workshops to educate personnel. firm from unauthorized access to corporate assets.
Guidelines and training documents provide details on Penetration tests are conducted regularly and maintains
a robust vulnerability management system to monitor

89
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

changes within information systems. Application the firm’s premises including the reception and entry
security policies include written procedures with secure checkpoints; ID scanner and other access records;
coding standards to ensure secure development of in- video; physical logs; and garage records. Safety and
house applications. physical security measures are audited periodically by
a renowned firm to check they are implemented and
The following cybersecurity workshops and training
working as expected, and updated or fixed if necessary.
are mandatory for executives and employees:
Workshop 1: Agree on which entities to cover and C. Sytem Development Life Cycle and Change
what information is considered nonpublic, as well as Management
the materiality of transactions that relate to audit trail All information systems, including operational
Workshop 2: Enforce MFA and how to reconstruct systems, systems under development, and systems
an audit trail undergoing modification or upgrade, are in some phase
of a system development life cycle. Requirements
Workshop 3: Clarify the certificate of destruction, definition is a critical part of any system development
and the feasibility of the Retention policy process and begins very early in the life cycle, typically
Workshop 4: Train the staff and monitor for threats in the initiation phase. Security requirements are a
subset of the overall functional and nonfunctional (e.g.,
Workshop 5: Discuss the feasibility of encryption quality, assurance) requirements levied on an
of nonpublic information and test first line of defense information system and are incorporated into the
on Microsoft office format documents. system development life cycle simultaneously with the
functional and nonfunctional requirements. As
A. Policies and Procedures recommended by the NIST4, early integration of
A set of 15 must-have policies complements the information security requirements into the system
company’s cybersecurity best practices and accompany development life cycle is the most cost-effective and
the strategy to enforce its fulfilment. Policies and efficient method for an organization to ensure that its
Procedures are communicated to all employees. protection strategy is implemented.
Additionally, where required, appropriate sections are
distributed to suppliers and contractors. In doing so, With regard to configuration management and
their importance is emphasized. Given that fulfilling control, it is important to document the proposed or
them is compulsory, the firm audits compliance, actual changes to the information system and its
provide continuous oversight, demand accountability, environment of operation and to subsequently
and, where necessary, impose sanctions upon those determine the impact of those proposed or actual
who violate these rules. The list of policies can be changes on the overall security state of the system.
found as an Appendix B. Information systems and the environments in which
those systems operate are typically in a constant state
of change (e.g., upgrading hardware, software, or
B. Safety and Physical Security
firmware; redefining the missions and business
At any Institutions, employees’ safety is a priority. processes of the organization; discovering new threats).
Therefore, counting with the experience of a private Documenting information system changes as part of
security company, specific measures have been taken routine SDLC processes and assessing the potential
to ensure the safety of all employees either when impact those changes may have on the security state of
working on premises (garage included) or when they the system is an essential aspect of continuous
travel for work purposes. monitoring, maintaining the current authorization, and
On the other hand, understanding that cyber-attacks supporting a decision for reauthorization when
can sometimes begin with a physical breach -for appropriate.
instance, when an outsider to surreptitiously gather
fodder for a social engineering scheme or when an D. Continuous monitoring
insider (such as a so-called “bad leaver”) gains access As recommended by the NIST5, a critical aspect of
to a company’s network and wreak havoc, without managing risk to information from the operation and
initially using malware or other clandestine use of information systems involves the continuous
technological means- Institutions should take the monitoring of the security controls employed within or
physical security of facilities into consideration as part inherited by the system. The objective of the
of the Cybersecurity strategy. The physical security in continuous monitoring program is to determine if the

90
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

set of deployed security controls continue to be F. Monitoring program includes:

effective over time in light of the inevitable changes  Configuration management and control
that occur. Continuous monitoring is a proven processes for organizational information
technique to address the security impacts on an
systems;
information system resulting from changes to the
hardware, software, firmware, or operational  Security impact analyses on proposed or actual
environment. A well- designed and well-managed changes to organizational information systems
continuous monitoring program can effectively and environments of operation;
transform an otherwise static security control  Assessment of selected security controls
assessment and risk determination process into a (including system-specific, hybrid, and
dynamic process that provides essential, near real-time common controls) based on the organization-
security status-related information to organizational defined continuous monitoring strategy;
officials in order to take appropriate risk mitigation  Security status reporting to appropriate
actions and make cost-effective, risk-based decisions organizational officials; and
regarding the operation of the information system.  Active involvement by authorizing officials in
Continuous monitoring programs provide organizations the ongoing management of information
with an effective mechanism to update security plans,
 System-related security risks.
security assessment reports, and plans of action and
milestones. Using the Template
G. Metrics
After the text edit has been completed, the paper is The results of our cybersecurity strategy are
ready for the template. Duplicate the template file by measured through a set of metrics that help us to
using the Save As command, and use the naming monitor and control the implementation of the same,
convention prescribed by your conference for the name better manage our risk and make informed decisions.
of your paper. In this newly created file, highlight all of The list of metrics can be found as an Appendix C.
the contents and import your prepared text file. You are
now ready to style your paper. H. Documentation and Status Reporting
E. Monitoring Strategy Continuous monitoring results are considered with
respect to any necessary updates to the security plan,
The monitoring program is integrated into the security assessment report, and plan of action and
organization’s system development life cycle processes. milestones, since these documents are used to guide
A robust continuous monitoring program requires the future risk management activities. Updated security
active involvement of information system owners and plans reflect any modifications to security controls
common control providers, CIO, CISO, and based on the risk mitigation activities carried out by
authorizing officials. The monitoring program allows information system owners or common control
an organization to: (i) track the security state of an providers. Updated security assessment reports reflect
information system on a continuous basis; and (ii) additional assessment activities conducted by assessors
maintain the security authorization for the system over to determine security control effectiveness based on
time in highly dynamic environments of operation with modifications to the security plan and deployed
changing threats, vulnerabilities, technologies, and controls. The results of monitoring activities are
missions/business processes. Continuous monitoring of reported to authorizing officials on an ongoing basis in
security controls using automated support tools the form of status reports to determine the current
facilitates near real- time risk management and security state of the information system, to help
represents a significant change in the way security manage risk, and to provide essential information for
authorization activities have been employed in the past. potential reauthorization decisions.
The firm uses vulnerability scanning tools, system and
network monitoring tools, and other automated support
IV. SECTION 0 – TYPES OF ATTACKERS
tools that can help to determine the security state of an
information system. According to the US Dept. of Homeland Security,
“Cybersecurity is NOT implementing a checklist of
requirements; rather it is managing cyber risks to an
acceptable level. “ 6

91
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

Knowing the enemy requires understanding the no malicious intent to a sophisticated, well-funded and
different threat actors, what their motivations and goals resourceful character that presents a much higher risk
are, how they operate and their sophistication levels, all of significant impact.
of which can be used to assess degree of risk. Security
The following table illustrates the types of cyber
experts understand the continuum of threat actors well,
security actors, with references to historical
based on monitoring and analysis of incidents. A
cybersecurity cases for clarity:
variety of actors with different motivations and
objectives are constantly looking for vulnerabilities.
These players range from the “inadvertent actor” with
TABLE III. CYBERSECURITY ACTORS. SOURCES: FORTUNE AND MCAFEE

These core functionalities translate into the

A. The Cyber Attack Decision Tree
following actions:
Institutions should implement a Cybersecurity
Framework based on NIST7. These are the 1) Identify known cybersecurity risks to their
framework’s core functions: infrastructure
2) Develop safeguards to protect the delivery and
 Identify maintenance of infrastructure services
 Protect 3) Implement methods to detect the occurrence of
a cybersecurity event
 Detect 4) Develop methods to respond to a detected
 Respond cybersecurity event
5) Develop plans to recover and restore the
 Recover companies’ capabilities that were impaired as a
result of a cybersecurity event

92
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

The following attack vectors have been considered as classified or sensitive, then specific communications
and a decision tree based on the framework is provided will be formulated to the necessary individual(s) and
below: agencies.
 Data Loss The Communications Officer will be responsible for
these communications with oversight from the C-Suite,
 Insider Threat CEO, CISO, CFO and CIO. For any other loss of data,
 Vendor/Partner Compromise the data recovery, backup and restore will be
performed by Information Technology and business
 Compromise of Individual Device will resume as usual.
 Phishing
 Network/System Breach
 DDoS Attack Figure 4. Insider Threat
 Ransomware
If it is determined that any compromise was the
result of an insider threat, whether it be a vendor,
employee, consultant or former employee, an official
investigation will be conducted to determine the goals
of the attacker, data loss and entry points on the
Figure 2. Detect and Identify
intrusion. Additionally, the investigation will expand to
When a potential incident is reported, the incident cover any individuals with close relations to the
will be investigated to determine if it is valid based on attacker and identification of additional known
known attack vectors. Once validated, one or more conspirators.
members of the incident response team will collaborate Immediately following the identification of an
to determine and classify the impact using the insider threat, the users account will be disabled based
Consequence Table. The categories of incidents are on IT guidelines. Furthermore, checks will be
insignificant, minor, moderate, major, and extreme. performed to identify any unknown accounts and logs
(See Consequence Table) will be assessed regularly for other suspicious
Each attack vector has the potential to overlap, unauthorized activity.
particularly for data loss or insider threat. One or more
of the following decision trees may be put into action
depending on the circumstances of the breach.

Figure 5. Vendor/Partner Compromise

In the event that a vendor account or endpoint is

compromised, a line of communication will be opened
with the vendor to assist in identifying the extent and
nature of the breach. Data loss and network breach
decision trees will be acted upon as well as
investigation into any insider threats based on those
who have access and knowledge of vendor systems and
their inner workings. The goal will be to restore
operations with the vendor in a timely manner while
gathering the appropriate data to assess the damage and
Figure 3. Respond and Recover enable additional security protocols to secure the
connection in the future.
An incident that involves loss of data must be
immediately analyzed for the loss of classified or
sensitive data. If the data contains PII (Personally
Identifiable Information), PCI (Payment Card Industry),
SOX (Sarbanes Oxley) or other types of data deemed

93
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

Figure 8. Network systembreach

Figure 6. Compromise of individual device
In the event of an advanced persistent threat (APT),
If an individual device is compromised, the Desktop involving a multifaceted breach of network and system
Support team will determine if the device is resources, it will be determined if systems can be
recoverable through scan and removal of malicious restored with internal resources through collaboration
software or through backup and restore. If the device is of Information Technology and Information Security.
an unrecoverable state, or the device is known to If the breach is beyond internal expertise, external
contain highly sensitive information, the device will be agencies such as the FBI (Federal Bureau of
isolated, removed from the network and sent for Investigation or DHS (Department of Homeland
forensic analysis. The CISO will work with the CIOO Security) will be contacted for assistance as needed.
to communicate unusual findings. All members of the C-Suite, CEO, CISO, CIOO, CFO,
as well as HR (Human Resources), will formulate a
specific recovery plan and proper communications
based on the severity and financial impact to the
company by referring to the Consequences Table.

Figure 7. Phishing attack

If there is a malware detection that can be traced

back to a phishing campaign, or a user reports a
suspicious email or other form of communication that
seems like a potential phishing attack, then the decision
trees for data loss, system and network recovery will
also be enacted.
Figure 9. Ransomware
There will be an investigation into the phishing
target with the goal of determining the intention of the In the unfortunate case of ransomware, where there
attacker and what information they were seeking (See is potentially unrecoverable data loss through
Section 0 on common types of hackers) or may have encryption and the data is being held for ransom, the
retrieved. Depending on the extent of the breach, data loss decision tree will also be invoked. If the data
various members of the C-Suite will convene to is considered classified or sensitive, or poses a risk
determine next steps. The Human Resource department where the business cannot recover financial loses, than
will be responsible for investigating the phishing external agencies will be notified for advice and
target(s) to determine if any sensitive information was assistance. All members of the C-Suite will be active in
obtained. Further rules for response on data loss or assessing the damage of a ransomware attack and
network breach will be followed. determining the proper action.

94
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

Moreover, the factors that can help “to make the

strategy succeed are: identifying information critical to
your business; making cybersecurity part of your
culture; considering cybersecurity impacts in your
decisions; and measuring your progress”. (Touhill &
Touhill, 2014, Page 124).
Figure 10. DDOS attack
As part of the governance model and following the
In the event of a DDoS attack (Distributed Denial of recommendation of the National Association of
Service), flooding of the network or targeted machines Corporate Directors (NACD), An Institutions should
through an overload of requests, the IT Operations follow these Five Guiding Principles:
team will be responsible for denying traffic and 1) Understand and approach cybersecurity as an
reporting on any potential loss of data and or revenue enterprise-wide risk-management issue, not just an IT
streams. The CISO will work jointly with the CIOO to issue
communicate the impact of the attack and set 2) Understand the legal implications of cyber risks
expectations for recovery time before returning to as they relate to their company
business as usual. 3) Have adequate access to cyber security expertise
and discussions should be held regularly at board
B. Protect and Prevent
meetings
The CISO will be responsible for cyber security 4) Make sure that management establishes an
education and overseeing ongoing improvements to enterprise-wide risk management framework with
cyber defenses. The Incident Response team will adequate staffing and budget
review the cyber security playbook quarterly and 5) Identify which risks to avoid, accept, mitigate,
conduct table top exercises to rehearse incident
or transfer through insurance.
response procedures. Knowing that attack vectors
The following sections detail the response for each
evolve over time and that attacks become more
C-Suite role:
sophisticated each day, the decision tree will be
updated and will adapt to lessons learned.
A. Chief Executive Officer (CEO)
The cyber security playbook decision tree is meant The CEO makes sure that Cybersecurity is
as a general guideline. Each incident must be accessed incorporated into our strategy as a cornerstone of our
and categorized individually and it is the responsibility business. “Our brand reputation, partnerships, potential
of the C-Suite to analyze, communicate and react investment opportunities, and competitive advantage
according to the various circumstances of each all rely on the integrity of our information”. The
individual threat. following factors have been taken into consideration to
make our strategy succeed:
V. SECTION 2 – C-SUITE RESPONSE
 Identification of the information critical to the
Cybersecurity issues are no longer limited to the business
Information Technology department. Security breaches
 Cybersecurity as part of the company’s culture
threaten every aspect of the organization and pose a
significant threat to ongoing business continuity and  Cybersecurity impacts considered in all
reputation. These issues extend well beyond the decisions taken
technical environment and reach across the entire  Measurement of the progress.
business ecosystem. There are three initial considerations that the CEO
Cybersecurity solutions must encompass not only takes into account: first of all, protecting our company
technical fixes, but also changes in business processes, against cybersecurity threats goes beyond the pure
controls, and management and employee behavior. compliance with standards or regulations. Secondly, we
Therefore, the Board of Directors understands that strive to find the balance between cybersecurity and
being prepared to understand cybersecurity issues, productivity, as. “Cost, performance, and ease of use
make the key decisions that prevent cyber issues from are key attributes of an efficient and successful
evolving into full-scale problems, and handle issues cybersecurity program.” (Touhill & Touhill, 2014,
from the front-row if presented are the Board’s Page 273). Thirdly, we take into account the risk
responsibility. management lifecycle.

95
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

Based on these initial considerations, our developing and implementing the policies or
cybersecurity strategy distinguishes three Areas of guidelines required -in compliance with
Focus: regulations-, and consider cyber insurance for
1) Establishing a governance model for security, the company and the Directors.
including enterprise-wide collaboration,  Overseeing the company’s response, especially
the communication strategy in close contact
2) Identifying and protecting critical data and with the General Counsel and the Head of
applications, and Communication.
3) Developing and implementing an effective  Overseeing the damage control especially what
response plan. is related to approving the investments and
personnel needs to strengthen the company’s
The details of the Response Plan can be found in defenses.
Section 1 of this Playbook but the Appendix D includes
a comprehensive checklist taken into consideration for  Assisting the law enforcement after an incident
the firm’s CEO when evaluating cybersecurity and -if required- in close collaboration with the
taking major decisions before, during and after an General Counsel.
incident.  Repairing the company’s reputation with
customers, partners, regulators, media, etc. in
Regarding the CEO responsibilities and according close collaboration with the Director of
to the NIST Framework, “the head of agency (or chief Communication.
executive officer) is the highest-level senior official or
executive within an organization with the overall
B. Chief Financial Officer (CFO)
responsibility to provide information security
protections commensurate with the risk and magnitude As most firms have the proper C-Suite executives
of harm (i.e., impact) to organizational operations and working together in order for a strong collaborative
assets, individuals, other organizations, and the nation effort to respond to any potential issues, the Chief
resulting from unauthorized access, use, disclosure, Financial Officer (CFO) must be aligned for financial
disruption, modification, or destruction of: (i) data. The CFO works closely already with CEO and
information collected or maintained by or on behalf of CISO to understand the value in the data that could be
the agency; and (ii) information systems used or possibly taken from a cybersecurity breach. From a
operated by an agency or by a contractor of an agency financial view, the CFO works directly with technology
or other organization on behalf of an agency. and security to understand the leaks from a breach to
manage potential risks. Majority of hacks including
As additional responsibilities, the following are ransom cyber-attacks have a dollar value tied to them.
considered: The CFO needs to address these type of concerns, plus
 Making sure cybersecurity is part of the the costs of remediating the attack with appropriate
company’s strategy and operational planning, amount of resources, risk mitigation activities, software
upgrades, and patches. The CFO works with General
the board discussion and the company’s daily
Counsel, Legal, and Director of Communications to
routine. This involves transforming the
analyze the financial impact of the current hack and
company culture, providing the necessary potential future hacks to understand the deep dive
resources in terms of security systems and financial matters.
security trained personnel, and taking into
account lessons learnt from previous incidents The CFO works directly with the CEO to discuss
(if any) to improve its security posture. briefing matters on financials budgets associated with
 Creating a Security Committee lead by the cyber-attacks. Each attack a company encounters needs
CISO and which consists on the members of to be justified to provide the correct amount of costs for
man-hours for a patch, and software upgrades to
the C-suite (CEO, CISO, CFO, COO/CIO,
internal systems to build preventive measures within an
Head of Legal/Head of Communication). This organization. The CFO is responsible for
committee is in charge of protecting the recommending a budget with C-Suite executives on an
privacy of corporate and customer data on the annual 3-year rolling forecast to factor in maintenance
network and it from intruders, defining the of upgrades to all internal and external systems that
company’s risk posture, engaging 3rd party for could possibly be faced with any type of cyber threats.
hidden vulnerabilities or active compromises,

96
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

An approved allocated budget from the C-Suite a) Apply security patches to vulnerable or
executives allows CTO and CISO to work with affected infrastructure components
external consulting providers to recommend equipment
upgrades instead of fulfilling the requirements of b) Isolate/turn off infrastructure components
hacker if a ransom was requested. It’s worth c) Deploy teams to investigate or remediate issue
remembering that when a company pays a ransom once,
it will flood the gates with additional hackers in the 2) Recovery:
foreseeable future to attack our organization for a quick a) Business recovery (BR) e.g. repair affected
payment instead of the organization getting application, databases and systems
cybersecurity expert law enforcement involved. Plus,
this type of preventive measure keeps senior b) Activate business continuity (BC) plans
management in the loop to keep on investing more in c) Activate disaster recovery and service
security space of our organization by increasing annual continuity (DR/SCM) plans
budget to build workshops for firm awareness and risk
mitigation. Business continuity and recovery components to be
addressed during and after a cyber-attack:
 Budget: For 2017, the total is $650,000 for
consulting and professional services for gap
assessments for the year, which will allow 3) Adherence to legal, regulatory and governance
senior management to focus on meeting requirements: refer to the Crisis
requirements for 2018. Management section of the firm’s Governance
Policy. The aim is to operate within the governance and
 Budget: For 2018, the total is regulatory framework even in the event of a crisis.
$14,800,000 with CAPEX and OPEX for
GTS/AME accounting for nearly The objective is to guard against operational havoc
$7,000,000. by:

 Status/Approach: Feb 2018, key

a Not violating governance, legal, and
deadlines include setting up a Cyber regulatory guidelines
Security program, with policies and a
CISO to manage all three lines of defense. b Not opening the door for exploitation of crisis
Includes annual penetration testing and situations by malicious actors
annual penetration testing and c Maintaining accountability, records and
vulnerability assessments. consistency (see figure below)

C. Chief Information Officer and Chief Operations  Collaborate with authorities – SEC, FBI &
Officer (CIOO) NSA.
Due to our complete reliance on technology to  Address external risks – partner/supplier
conduct business, the board may decide to combine the relationships and communications
roles of CIO and COO into one: the CIOO. The  Global Context – political, economic and
combined role yields pronounced efficiencies/benefits social changes and events
in as far as cybersecurity is concerned, more so during
and after attacks. VII. SYSTEMS CLASSIFICATION
To formulate appropriate responses and
VI. SCOPE communications during a cyber-attack, the CIOO and
It is understood that protection against and detection their delegate would consult with the Applications and
of cyber-attacks is the responsibility of the CISO. Systems Registry which contains, in addition to
business and technical information, the appropriate
The CIOO partners with the CISO in formulating RACI diagram. It should be used as the backdrop
and executing remediation. The CIOO is equally against which action is taken (see figure below).
responsible for:
1) Responding:

97
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

TABLE IV. THE CIOO AND THE APPROPRIATE RACI DIAGRAM

based on affected apps/components attended by
Application Owner and Business Unit representatives.

C. Structure and Delegation

The CIO has two delegates working in tandem and
collectively participating in day-to-day business as well
as during cybersecurity events:
A. Data Classification  VP Operations Management
The firm assigns the highest priority in assessing the  VP IT Management
impact of an attack to the following classes of data: The CIO participation and delegation during cyber
1) Personally Identifiable Data (PII) events is based on severity as shown below8.
2) Non-Public Material Data (NPMI) such as TABLE V. THE CIO PARTICIPATION AND DELEGATION DURING CYBER
SEC filing info, board resolutions of EVENTS BASED ON SEVERITY

clients, etc.
3) Confidential Supervisory Information
such communications from the SEC and
other regulatory bodies.
Attacks impacting systems housing any of the
above three types of data are high risk by nature. The
default severity of any such attack is Major until it is Participation levels are described as follows:
downgraded.
 100% :
B. Cybersecurity Events & Change Management  Cancel all personal commitments for
Since remediation and recovery entail changing 72 hours
components in the ecosystem and infrastructure, the
CIO has put in place the following processes:  Physically on-site in nearest
offices for 72 hours OR if remote,
1) Emergency Change Management – Extreme and via phone and email with access
Major events justify the activation of these processes to appropriate dashboards and/or
where signed pre-approvals are deposited by: metrics.
a) Business Application Owners  75% :
b) Business Unit Leaders  Cancel all personal commitments for
48 hours
c) The BoD – subject to final sign-off based on
the scope of action where there is:  Physically on-site in nearest offices
for the first 24 hours OR if remote,
 A need to communicate externally via phone and email with access to
 A legal liability appropriate dashboards and/or
 Financial risk metrics.
2) Expedited Change Management – Moderate  50% :
events warrant a scaled down change process where:
 Keep personal commitments but
a) Pre-approved Damage Control (limited refrain from alcohol
isolation of components/apps)
 Maintain unfettered access to phone
b) Fast-track change management - convening and email communication
skeleton meetings within pre-approved timeframes

98
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

 Maintain the ability to join conference

calls or video conference meeting as
necessary
 25% :
 Keep personal commitments and
minimize alcohol consumption
 Maintain unfettered access to phone
and email communication o Anticipate
periodic status update calls or messages
Figure 12. Guiding principles

8
Please note that a similar model applies to the rest of
the members of the C-Suite.
D. Chief Information Security Officer (CISO)
Change is inevitable in every industry. But in
finance, the pace of change is driven by regulatory flux,
ever changing geopolitical landscape and the constant
evolution of technology. Today’s financial
organizations face an unprecedented array of new
challenges in the form of cyber-attacks. According to
Cisco, “Playbook is perspective collection of
repeatable queries against security event data sources
that lead to incident detection and response”. Cyber
threats are dynamic in nature so it is important for the Figure 13. Preparation–Before event
CISO’s to have essential planning and communication
skills while protecting shareholder value.

VIII. WHY CYBER SECURITY?

From the CISO perspective, the questions to answer

are:
 What am I trying to protect?
 What are the threats?
 How do I detect them?
 How do I respond?

Figure 14. Execution-During Incident

Figure 11. The four faces of CISO

Figure 15. Closing-post incident

99
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

with our organization we need to ensure audits are

conducted based on information security policies and
systems will not be a liability to the company. General
Counsel needs to adhere to best practices in risk
management so as to have minimal or no damage in an
attack.
The General Counsel moves in the direction to
ensure that proper law enforcement barriers are set up
in our preventive measures and resolution plan. We
have drafted a created list based on scenarios on how
much damage and type of damage expectations to
occur before involving the federal authorities.
Internally, within our organization, we have established
connections with security clearance authorities as well
Figure 16. Key Metrics
to understand the scope of the investigation to address
how it will affect the firm’s information and business
processes.
IX. LEGAL COUNSEL (AKA GENERAL COUNSEL)
General Counsel has developed a proper Data
The Legal Counsel side of the issue is critical to the Retention Policy for internal employees and external
attack, applying to the regulations of the state or clients to keep data secured then protected. We need to
country will prevent further damage in the form of understand the policies of data retention of how to
lawsuits or penalties. Rules such as the GDPR needs to properly manage and maintain data as evidence in case
be adhered to because if found that after an attack not of a customer request for information (RFI). Then a
all proper precautions were followed according to the major focus is on ensuring the integrity of the data is
guidelines, a hacker will be the least of our worries. preserved as well as having documented the chain of
While legal is necessary for incident response, custody which begins in the collection phase.
following the proper protocols ensures an attack has
minimal damage. General Counsel have created the proper
documentation to executive opinions that could
A. Key concerns for General Counsel heavily revolve possibly affect Attorney-Client privilege. The
around compliance to meet Federal Mandates knowledge of the incident response fall under normal
operations and which are protected under attorney
It is a sole responsibility for C-Suite Executives to client privilege. Counsel should be involved in all
be aware of all information security regulations that communication whether it be phone, email, etc.
apply to the company, such as Health Insurance between company and the cyber security consultants
Portability and Accountability Act (HIPAA), 1999 brought in for the attack. Direct contact with General
Gramm-Leach-Bliley Act, and the Federal Information Counsel is required immediately after an attack as the
Security Management Act (FISMA) as part of the 2002 worst part of the attack is right after it has taken place
Homeland Security Act, General Data Protection because of speculation on incomplete information,
Regulation (GDPR), and Payment Card Industry Data damaging communication is likely to occur.
Security Standard (PCI DSS). General Counsel needs
to work with both CISO and CIO to ensure information 1) Compliance
system security practices follow proper guidelines.
Moving forward we need to be up to date on National As we are in a growing age of cyber security
Institute on Standards and Technology on best breaches and constant hacks from outside parties of
practices of cyber security infrastructure and policies. each organization, the laws of data security and
provisioning have been increasing. The US Regulators
Next aspect of General Counsel is to ensure that have forced organizations with client and customer
audits follow proper methodology for Federal Review data to take increase precautionary methods to ensure
and are set in place in order to produce efficient governance. Some of these types of new regulations
controls. Keeping semi-annual audits of internal include Department of Financial Services (DFS) Cyber
information security infrastructure, where a draft is Law, GDPR, Multi-Factor Authentication, and Third-
written up to help conclude how the system can be Party Security Program.
improved. With all of the Third-Party vendors working

100
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

The DFS Cyber Law remediation plan is heavily shareholders. These types of breaches have in the past
focused on proper governance requirements to meet caused many issues by not focusing efforts on
Federal Requirements by FINRA. As the need for communication and keeping shareholders and
proper preventive methods, C-Suite Executives turn to stakeholders in the loop.
Legal Counsel to build property strategies to
implement a strong cyber security infrastructure that 1) Internal Communication
resembles all divisions of the company from Front to Internal communications address two groups that
Back office. This includes a program to design a risk will include the employees as well as any business
based approach with policies to address key elements partners. Effective internal communications will
reviewed by the General Counsel and CISO to oversee mitigate the need of panic by individuals and
the program. organizations who are working in the company or with
The General Counsel will need to translate Federal the company. If employees or business partners panic
Requirements to build a variety of tools with alignment and make consequential decisions based on incomplete
from all areas of the organization. These types of information they could cause much more harm than the
technical implementations include Multi-Factor attack itself. An effective communication plan will
Authentication to network access, encryption to protect allow for smooth flow of information at the time of
information, and breach notification to notify the DFS crisis so attention can be given to the more pressing
within 72 hours of a cyber-attack. With the new issue of how to stop the attack and not with its
mandates being consistently brought up in the media, it secondary effects.
is aggressive timeline to implement these requirements Managing the internal communication between
based on the increase amount of threats within cyber- employees and C-Suite is a fundamental need quickly
attacks. Information Technology stakeholders globally as a response. This keeps employees in the loop and
such as ITEC and GTS will help with the execution and aware not to communicate outside of the organization
regulatory requirements such as GDPR outline exactly that could reflect negatively within the media. Right
what is needed to be followed for US regulations. away as soon as the attack occurs and management is
notified, all employees will receive an email from
2) Guidelines for Compliance Human Resources. This information will report that a
Purpose: Law requires banks regulated by DFS to breach has occurred and further information will be
establish and Maintain Cyber Security Program made available as soon as possible. Also, all internal
emails by non-members of the internal team
investigating the incident should cease because
• Section 1: Compliance by August 28, 2017
speculation could cause unnecessary panic. There will
such as CS program, policies, and CISO be a request to not use social media at this time and
• Section 2: Compliance by March 1, 2018 such listing the consequences of misinformation can cause.
as MFA, Training and Risk Assessment All Information Technology senior management will
receive a separate protocol which depending on the
• Section 3: Compliance by September 2, specifics of the attack will notify how their department
2018 such as Audit Trail, Data Encryption will be responding to the attack. The CISO here will be
and Monitoring the main supervisor in charge of all necessary changes
• Section 4: Compliance by March 1, 2019 such that need to be made to any information systems.
as Third-Party Security Program Other banks and broker-dealers our firm does
business with should be notified in a proper response
B. Director of Internal and External Communication method in order to protect business with our partners. If
The main responsibility of the Director of Internal the company has any legal obligations to inform of an
and External Communication in a cybersecurity breach attack in a specified amount of time as is the case with
is to keep the public aware of any risk mitigation issues the GDPR regulations on breach notification, let the
and a strong response to the media that we as C-Suite entity know of the attack, whether it be for compliance,
level employees are ensuring best practices to safely insurance, or CIRT. Let any business partners know
protect the data of our customers. In this day and age, it how any vulnerabilities to their information, so they
is very crucial to develop relationships outside the can begin any incident response plans to help keep
organization with correct media outlets to release their business from being affected by the attack.
significant details while gaining the trust of our

101
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

2) External Communication 3) Communications to regulators

External Communications will focus on The firm has decided to adopt a doctrine of
stakeholders of the company as well as the media. transparency in reporting cybersecurity attacks, despite
External communications will be less specific and will the fact that the practice is optional. The reporting,
be to keep the public image of the company as one that however, is qualified in that it should apply only to
in top of the attack and give assurance to stakeholders Extreme and Major events. The rationale is that the
and customers alike. A great example of bad external company needs to guard against long-term reputational
communications is the SONY hack, where SONY’s loss/damage, despite the short-term risks of stock price
reputation was tarnished for not standing up to the fluctuation. In the event of Extreme and Major attacks,
hackers. the executive board will approve communications
based on form 8-k using Fish & Richardson Disclosure
Decision Tree depicted in figure below:
Based on external communications a major area of
concentration needs to be on top of the stakeholders
and shareholders in the organization to get the latest up
to date information. This type of direct involvement by
C-Suite executives makes shareholders feel part of the
organization with engagement notifications. The focus
on these type of communications is based on specifics
of the cyber-attack, the plan created to ensure that the
company does not allow further information or data to
be viewed in public mindset. The communication
externally will be able to then come up with a strategic
plan to discuss increase in security controls, password
resets, identification requirements, and preventive
measures for a patch. The communication that will be
shared with the public will be drafted by the C-Suite to
explain all of the above with additional answers to
questions faced by media scrutiny.
Managing Public Relations is going to be key in our Figure 17. Appendix A. Organization Chart
cyber breach playbook. Depending on the scope of the
attack, a strong Public Relations response and resource
will need to be positioned here as majority of the C- TABLE VI. APPENDIX B. CYBERSECURITY POLICIES
Suite will be completely consumed in responding to the
attack. The first response to the media will be crucial in
order to have control of any negative news that could
hurt our organization. The company will make it a top
priority to have the appropriate response in order to set
up proper damage control and manage expectations.
The public relations team will have to set up proper
contacts within each media organization ahead of time
to reveal minimal details of the attack and assure the
public of the risk mitigation activities being performed
by senior management.

102
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

TABLE VII. APPENDIX C. CYBER SECURITY METRICS

Metric
Question Metric
Category
How Vulnerable Are We
1.0 Number of Threats Detected
1.0.1 How many times are we being “pinged” and “probed”?
1.0.2 How much spam is filtered?
1.0.3 How many phishing messages are we receiving?
1.0.4 Who is targeting us?
1.1 Number of Known Vulnerabilities
1.1.1 System vulnerabilities
1.1.1.1 Number of vulnerabilities discovered
1.1.1.2 Percentage of vulnerabilities mitigated in prescribed time frames
1.1.1.3 Number of residual vulnerabilities
1.1.2 Other Vulnerabilities
1.1.2.1 Percentage of systems and devices beyond projected life span
1.1.2.2 Percentage of software beyond projected life span
1.2 How Many Cyber security Incidents Have We Detected?
1.2.1 Number of cybersecurity incidents detected
1.2.2 Number of detected cybersecurity incidents by category
1.2.3 Cost per incident
1.2.4 Who is responsible for cyber security incidents
How Effective Are Our Systems and Processes? 2.0 Network Performance Measures
2.0.1 Network Performance Measurement
2.0.2 How does network performance compare to previous measurements?
2.0.3 Percentage of devices with current security software
2.1 Change Management
Number of unauthorized changes, Unauthorized changes to your
2.1.1
systems are not good
Percentage of maintenance successfully accomplished within schedule
2.1.2
and budget
2.2 Software configuration management
Percentage of software current with all known patches. This is a critical
2.2.1
cybersecurity measure. It makes sense to patch your soft
Number of unauthorized software and media detected on network and
2.2.2
devices
2.3 Physical Security
Number of physical security incidents allowing unauthorized access into
2.3.1
facilities
2.3.2 Number of violations of clean desk policy
2.4 Acquisition
Percentage of System and service contracts that include security
2.4.1
Requirements and/or Specifications
Do we have the right people, are they properly trained,
3.0 Percentage of employees who have current Cybersecurity training
and are they following proper procedures?
3.1 Percent of technical staff with current certifications
3.2 Number of Users with system administrator privileges
3.3 Number of security violations during reporting period
Percentage of security incidents/violations reported within required
3.4
timelines
Am I Spending the Right Amount on Seurity? 4.0 Cyber security Costs
4.0.1 Percentage of the IT budget devoted to cybersecurity
4.0.2 Percentage of the organization budget devoted to cybersecurity
4.0.3 Execution of current budget
4.1 Value of Information
4.2 Consequences of Information loss, Tampering, or Destruction
4.2.1 Cost to replace
Estimated costs associated with loss, tampering, or destruction of
4.2.2
information
4.2.3 Estimated costs associated with regulatory fines for failing compliance
4.3 Cybersecurity Risk Exposure
4.3.1 Cybersecurity risk

103
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

TABLE VIII. APPENDIX D. CHECKLIST FOR CEO(EXECUTIVES IN [4] Fry, E. (2014, June 12). The 6 worst kinds of computer hackers.
GENERAL) Retrieved August 05, 2017, from http://fortune.com/2013/02/26/the-
6-worst-kinds-of-computer-hackers/
[5] M. (2016, October 24). 7 Types of Hacker Motivations. Retrieved
August 05, 2017, from
https://securingtomorrow.mcafee.com/consumer/family-safety/7-
types-of-hacker-motivations/
[6] Enterprise Risk Management Consequence and Likelihood Tables.
(n.d.). Retrieved August 6, 2017, from
https://ppl.app.uq.edu.au/sites/default/files/Risk%20Consequence%20
and%20Likelihood %20Table%20-%20Form.pdf
[7] Touhill, Gregory J., and C. Joseph Touhill. Cybersecurity for
Executives, Wiley, 2014. ProQuest Ebook Central,
https://ebookcentral.proquest.com/lib/columbia/detail.action?docID=
1707094.
[8] Wheeler, E. (2011), Security Risk Management, Chapter 8, Risk
Evaluation and Mitigation Strategies, Elsevier Inc.
[9] Institute, F. (n.d.). FAIR, an international standard by the Open Group.
Retrieved August 08, 2017, from http://www.fairinstitute.org/an-
international-standard
[10] Deinert, A. (2016), “Cybersecurity Breach Playbook: What Every IT
Administrator Needs to Know”, Vantage Point Solutions, Mitchell,
SD
[11] Framework for Improving Critical Infrastructure Cybersecurity. (n.d.).
Retrieved August 8, 2017, from
[12] https://www.bing.com/cr?IG=46B942FD8FD04ED7A2EF4DE7E061
BAE0&CID=18B347
4BBA4361240BCE4D93BB45607D&rd=1&h=qHbOGImxzOpDg5E
TABLE IX. ONE EVENT FOLLOWED BY ANOTHER 54Eh7p9I1gen0wVX Vy1g-
wVCQk6w&v=1&r=https%3a%2f%2fptop.only.wip.la%3a443%2fhttps%2fwww.nist.gov%2fdocument-
3766&p=DevEx,5063.1
[13] Cichonski, P. R., Millar, T., Grance, T., & Scarfone, K. (2017,
February 19). Computer Security Incident Handling Guide. Retrieved
August 08, 2017, from https://www.nist.gov/publications/computer-
security-incident-handling-guide
[14] Cichonski, P. R., Millar, T., Grance, T., & Scarfone, K. (2017,
February 19). Computer Security Incident Handling Guide. Retrieved
August 08, 2017, from https://www.nist.gov/publications/computer-
security-incident-handling-guide
[15] NIST. (2014, February 12) Retrieved from
https://www.nist.gov/sites/default/files/documents/cyberframework/c
ybersecurity-framework-021214.pdf
[16] Scholtz, T., McMillan, R. (2017, January 26). Institute Cybersecurity
and Risk Governance Practices to Improve Information Security.
Gartner.
[17] Kark, K., Francois, M., Aguas, T. (2016, July 25). The new CISO:
Leading the strategic security organization. (n.d.). Retrieved August
09, 2017, from https://dupress.deloitte.com/dup-us-en/deloitte-
review/issue-19/ciso-next-generation-strategic-security-
organization.html
[18] Fry, E. (2014, June 12). The 6 worst kinds of computer hackers.
REFERENCES Retrieved August 09, 2017, from http://fortune.com/2013/02/26/the-
[1] Morgan, S. (2015, November 24). IBM's CEO On Hackers: 'Cyber 6-worst-kinds-of-computer-hackers/
Crime Is The Greatest Threat To Every Company In The World'. [19] M. (2016, October 24). 7 Types of Hacker Motivations. Retrieved
Retrieved August 05, 2017, from August 09, 2017, from
https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on- https://securingtomorrow.mcafee.com/consumer/family-safety/7-
hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the- types-of-hacker-motivations/
world/#75f85d3973f0
[20] https://www.us-cert.gov/sites/default/files/publications/DHS-
[2] Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By Cybersecurity-Questions-for-CEOs.pdf
2021, Study Says. (2016, August 16). Retrieved August 05, 2017,
from http://www.darkreading.com/attacks-breaches/global-cost-of- [21] https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-
cybercrime-predicted-to-hit-$6-trillion-annually-by-2021-study- hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-
says/d/d-id/1326742 world/#bfb909373f07
[3] Cybersecurity Questions for CEOs. (n.d.). Retrieved August 5, 2017, [22] http://www.darkreading.com/attacks-breaches/global-cost-of-
from https://www.us-cert.gov/sites/default/files/publications/DHS- cybercrime-predicted-to-hit-$6-trillion-annually-by-2021-study-
Cybersecurity-Questions-for-CEOs.pdf says/d/d-id/1326742

104
 International Journal of Advanced Network, Monitoring and Controls Volume 04, No.03, 2019

[23] G. Eason, B. Noble, and I. N. Sneddon, “On certain integrals of interface,” IEEE Transl. J. Magn. Japan, vol. 2, pp. 740–741, August
Lipschitz-Hankel type involving products of Bessel functions,” Phil. 1987 [Digests 9th Annual Conf. Magnetics Japan, p. 301, 1982].
Trans. Roy. Soc. London, vol. A247, pp. 529–551, April 1955. [29] M. Young, The Technical Writer’s Handbook. Mill Valley, CA:
(references) University Science, 1989.
[24] J. Clerk Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., [30] Electronic Publication: Digital Object Identifiers (DOIs):
vol. 2. Oxford: Clarendon, 1892, pp.68–73.
Article in a journal:
[25] I. S. Jacobs and C. P. Bean, “Fine particles, thin films and exchange
[31] D. Kornack and P. Rakic, “Cell Proliferation without Neurogenesis in
anisotropy,” in Magnetism, vol. III, G. T. Rado and H. Suhl, Eds.
Adult Primate Neocortex,” Science, vol. 294, Dec. 2001, pp. 2127-
New York: Academic, 1963, pp. 271–350.
2130, doi:10.1126/science.1065467.
[26] K. Elissa, “Title of paper if known,” unpublished.
Article in a conference proceedings:
[27] R. Nicole, “Title of paper with only first word capitalized,” J. Name
[32] H. Goto, Y. Hasegawa, and M. Tanaka, “Efficient Scheduling
Stand. Abbrev., in press.
Focusing on the Duality of MPL Representatives,” Proc. IEEE Symp.
[28] Y. Yorozu, M. Hirano, K. Oka, and Y. Tagawa, “Electron Computational Intelligence in Scheduling (SCIS 07), IEEE Press, Dec.
spectroscopy studies on magneto-optical media and plastic substrate 2007, pp. 57-64, doi:10.1109/SCIS.2007.357670.

105