Safeguarding Your Information

e
en d s
The Cybersecurity Framework Categories

fid it d U
Identify

on hi e
C o riz
e
l
tia
Pr o Protect

b
Recover
h
ut
na
U

Respond Detect
Organizational Security Components

e
1) Physical Security – the protection

en d s
of property, e.g. using fences and

fid it d U
locks;

2) Personnel Security – e.g. using

background checks;

on hi e
C o riz
3) Contingency Planning and

e
l
Disaster Recovery: how to

tia
Pr o resume normal operations after an

b
incident, also known as Business
h Continuity Planning;
ut
4) Operational Security – protecting
na

business plans and processes;

Privacy – protecting personal

U

5) information;

6) Cyber-security - Assess risk,

vulnerabilities and execute
remediation
How Risk is Determined from Threats,
Vulnerabilities, Likelihood, and Impact

e
en d s
fid it d U
on hi e
C o riz
e
l
tia
Pr o
b
h
ut
na
U
 Identify and Prioritize Information Types
1)List all of the information types used in your

e
Info type Info type Info type … organization (define “information type” in any way

en d s
1 2 3
that makes sense in your business). Think about all

fid it d U
Cost of
revelation
the information used by and in your business.
(Confidentiality)
Cost to verify
information
(Integrity) 2)Enter estimated costs for each of the categories on

on hi e
Cost of lost
access the left. If you are unable to assign a dollar amount,

C o riz
(Availability)
use a scale such as low-medium-high, or 1-10. Avoid

e
Cost of lost

l
using a range (e.g. $2,500 to $50,000) and simply

tia
work
Fines,
Pr o enter a best-guess average.

b
penalties, h
customer
notification
ut
Other legal costs 3)Based on the estimated costs, prioritize your
Reputation information types in the bottom row. You may do this
na

/ public
Relations by calculating an overall ranking or risk score for
costs
Cost to each information type. Either add the values to give a
identify and
repair total value or use the highest value or score given.
U

problem
PRIORITY:
For example, if the information type has one “high”
rating, the entire information type should be rated as
“high”.
 Develop an Inventory
1) List what technology comes in contact with

e
Description (e.g. nickname, make, Location Overall
Type of information the product comes in
model, serial number, service ID, other
identifying information)
contact with. (accesses,
Potential
Impact
processes, transmits or stores) your

en d s
information. This can include hardware (e.g.

fid it d U
computers) and software applications (e.g.
browser email).

2) In the first column, include identifying

on hi e
information such as the make, model,

C o riz
nickname, title, version, owner, and serial

e
l
number.

tia
Pr o
b
h 3) Identify where that product is located. For
software, identify what machine(s) the software
ut
has been loaded on to.
na

4) List the information type(s) that the hardware /

software technology comes in contact with.
U

5) Review the information types and identify the

highest priority level of the information
Identify Threats, Vulnerabilities, and
the Likelihood of an Incident

e
en d s
Example: Customer
Contact Info type / Info type / Info type /

fid it d U
Information on Dr. J. Technology Technology Technology …
Smith’s cell phone

Confidentiality
Med (encrypted;
Theft by criminal password-
protected)

on hi e
Med
Accidental disclosure (has previously lost

C o riz
phone twice)

e
Integrity

l
tia
Accidental alteration by

Pr o
user / employee Med

b
Intentional alteration by
h
external criminal / hacker Low
ut
Availability
Accidental Destruction Med (Regular
(fire, water, user error) backups)
na

Intentional Destruction Low

Overall Likelihood: Med

U

Priority 3 – Schedule a resolution. Focus Priority 1 – Implement immediate

High on Respond and Recover solutions. resolution. Focus on Detect and Protect
solutions.
Impact
Priority 2 – Schedule a resolution. Focus on
Low No action needed Detect and Protect solutions.

Low High
Likelihood
 This Presentation is based on the following standards:

e
en d s
ISO 27000 family of Cybersecurity Standards

fid it d U
NIST Cyber Security Standards and Framework

on hi e
HIPAA (Health Insurance Portability and Accountability Act)

C o riz
e
l
tia
The Payment Card Industry Data Security Standard (PCI-DSS)
Pr o
b
h
DHS/FEMA Cybersecurity Community Preparedness Standards
ut
na

Presidential Executive Order on Strengthening the

Cybersecurity of Federal Networks and Critical Infrastructure of
U

May 17, 2017

Presented by Ron Benvenisti, CyVision Technologies, Inc.
http://cyvisiontechnologies.com