Board directors and CEOs cannot afford to ignore issues of Privacy, Data breaches and Cyber-attacks in their organisations. Unfortunately (even sadly), these security areas are often treated separately, even though they are intrinsically linked.

To avoid gaps in the security posture of an organisation, these three areas must be considered as one framework.

A Holistic Digital Security Framework (HDSF) approach enables directors and senior executives to minimise the impact of security issues on their businesses.

The Need

• The Australian Government through various agencies (such as ASIC, ASD, OAIC, ACCC) are demanding Australian businesses protect their operations from cyber-attack.  
• Organisations are being fined large amounts of money for violations of the Privacy Act including those where cyber-attacks have been successful.
• Organisations are being fined large amounts of money for data breaches including many that have occurred because of cyber-attacks.
• Since security issues are intrinsically linked, addressing them separately leaves gaps which will be exploited.

For these reasons a Holistic Digital Security Framework (HDSF) that is standalone and covers all three areas but aligned with and informing an organisations Risk Management Framework is more useful and perhaps even necessary.

An HDSF framework is one that allows both the board directors and the senior management team, to understand their roles and responsibilities. This allows them to develop cohesive plans to reduce overall business disruptions caused by unwanted cyber- attacks, data and privacy breaches.

The HDSF Framework

Security is everyone’s business, whether it be physical, cyber security, data protection, business systems protection, industrial control systems (ICS), operational technology (OT), Internet of Things (IoT) and privacy.

The HDSF Framework Components

1. Overview

The overview contains the security objectives of the organisation, the assumptions and scope – internal units, external organisations – anything which might impact or is impacted by security. It is the basis of the framework.

2. Governance

Governance enables board directors and senior executives, to understand the large picture of digital security: 

• security principles, 
• roles including accountabilities and responsibilities,
• current and future compliance requirements, 
• assurance mechanisms, 
• legal and regulatory requirements, 
• policies and procedures, 
• alignment with organisational risk framework.   

3. Design

The design of security systems is not just a technical function but an organisational wide approach seeking to satisfy the objectives established in the Overview. This will have many aspects such as: 

• design principles, 
• organisational setting (e.g., management framework alignment, accountabilities, and responsibilities), 
• technology design, 
• organisational resilience to reduce the impact of a large security event,
• the means to recover, and 
• controls to monitor performance and compliance.

4. Culture

The number one security principle for any organisation is this: 

“Security is everyone’s business”.

This must be the basis for developing a “security culture”, whose objective must be to protect the information assets of the organisation including those of its clients, suppliers, and other stakeholders. A security culture means everyone

• takes responsibility for security
• receives continual training
• is rewarded for identifying and fixing security holes or attempted breaches, a
• accepts effective discipline for security breaches.
  

5. Operations

This aspect of the framework is security in action: 

• implementing design decisions though security projects, 
• building and sustaining culture, 
• implementing technical and other tools to identify threat and attacks, 
• gathering and using intelligence information to prevent breaches, 
• monitoring and reporting security events.

6. Attack Response

It has been well demonstrated in various studies that having a well thought out and tested Incident Response procedure is key to reducing the event impact and decreasing the recovery time back to normal operation. 

Forensic analysis should be part of the post event analysis to discover the true impact of the security event as well as the circumstances around the event itself. It sometime takes up to 12 months or more to uncover the impact.

How you can use the HDSF Framework

The framework is used dynamically and reflects the current status of compliance in many different areas. Specifically…

• Summary of all security activities across data, technology applications, networks, privacy, cyber threats etc
• Compliance with regulators and laws
• Alignment with Management Framework; accountabilities and responsibilities
• Identification of gaps in security coverage
• A basis for prioritisation of security projects
• Establish and monitor projects
• Establish a basis for negotiating insurance cover and associated premiums.
• Monitor all security operations
• Monitor data, cyber and privacy breaches
• Manage Risk aligned with the organisations risk management framework

To learn more about how the HDSF can be applied to your business, please contact me. Consultations, Seminars and Workshops are available to suit your needs.

By Greg Porter

Greg Porter Advisory

https://www.linkedin.com/in/gregporteradvisory/