All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
Basics of Security Requirements
My stratospheric view based on a cyber security unit
In my ICT networking course we have a very hands on approach to implementing network and systems security. We also cover addressing an organisations cyber security requirements and contribute to cyber security risk management. Both these delivered the required skills and knowledge to identify and address cyber risks to digital assets in an SME environment.
The main resources I have taken my notes on cyber security are:
- The ICT Networking course material, that was so well put together and delivered, buy my lecturer,
- The course material from the Fortinet Certified Associate in Cybersecurity
- The Australian Cyber Security Center of the Australian Government Signals Directorate. cyber.gov.au
- Mitigating cybersecurity incidents
- The wealth of guidelines in the Information Security Manual
- The Essential Eight mitigation strategies and Maturity Models
In today’s digital landscape, cybersecurity isn’t a technical add-on; it’s a fundamental business requirement. To effectively protect the confidentiality, integrity and availability of an organisation data and infrastructure (digital and physical), a systematic approach is needed, starting with the core process of analysing cyber security requirements. This process lays the groundwork for risk management and control implementation efforts.
The Foundation: Assets, Threats, and Risk
The journey begins with a clear understanding of what you need to protect.
An asset register is a foundational tool that documents all valuable Information and Communication Technology (ICT) assets, which include not only hardware and software but also crucial information, infrastructure, specialised personnel, and outsourced services.
With the assets identified, a threat and risk assessment (TRA) can be undertaken. This is a systematic process to identify vulnerabilities, assess potential threats, and evaluate the resulting security risks. The goal is to identify and document the organisation’s specific cybersecurity requirements. A TRA goes beyond just technical risk, also considering the potential for reputational, operational, transactional, and compliance risks.
Establishing a Framework and a Maturity Level
To effectively manage risk, an organisation must adopt a framework.
cybersecurity framework. Is a guide and best practices that is used to manage and reduce cybersecurity risks. It provides a structured approach to identifying assets, assessing threats, and implementing security controls. This helps an organisation move from a reactive to a proactive security model, aligning its controls with its business objectives and compliance obligations.
maturity level model. Is a crucial way to measure the sophistication and effectiveness of an organisation’s security controls and processes. It provides a benchmark to assess where an organisation stands in its cybersecurity requirements and what steps it needs to undertake to improve
Essential 8. Is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD), the Australian Cyber Security Center ( ACSC ) to aid in an organisation implementing controls against cyber threats. These strategies focus on the critical security controls that provides a roadmap for progressively enhancing an organisations cyber security posture.
The Essential 8 framework, for example, offers four maturity levels (from Zero to Three), allowing organisations to assess their current capabilities and plan for improvement. It recommends a structured approach to implementation by:
- Identifying and planning for a target maturity level based on your organisation’s risk appetite.
- Progressively implementing each level.
- Aiming for a consistent maturity level across all eight strategies.
Essential 8 is an topic, especially for Australian organisations, and deserving of more attention. In the future I should have more articles:
- More detail on the ASD, ACSC, cyber.gov.au , Essential 8, and the Information Security Manual (ISM). Find article here.
- Essential 8 maturity levels. Read here
- Mapping between the Essential Eight maturity model strategies and ISM controls to achieve a desired Maturity Level.
By embracing a model driven approach, organisations can create a roadmap for improving their cybersecurity posture. This strategy ensures that security efforts are prioritised and that controls are aligned and mutually reinforcing. For example, implementing one strategy at a lower maturity level could reduce the effectiveness of another strategy at a higher level. By progressively implementing controls to reach a desired level of security, an organisation can ensure its controls align with its risk appetite and compliance obligations.
Governance and Compliance as Key Drivers
Governance and compliance are, also, major drivers for implementing a cyber security strategy. The Australian Signals Directorate (ASD) developed the Essential 8 to help organisations mitigate cyber threats and achieve a higher level of protection. Organisations are often motivated to improve their security posture due to factors like mandatory data breach reporting, penetration test results, and the need to meet compliance requirements. By adhering to a recognised framework, an organisation can demonstrate due diligence and satisfy regulatory obligations, thereby mitigating
Change Management
This is a planned and structured process to help an organisation align with a change. It’s a key part of the overall strategy and focuses on the “how” rather than the “what” of a change, emphasising the human element.
The process involves working with stakeholders to help them understand the change, sustain the transition, and overcome any challenges that may arise. Change can be perceived as an opportunity for some, but a time of loss, threat, and disruption for others, and that it involves adopting new mindsets, processes, and behaviours. A common process model for change that includes three stages:
- Unfreeze. Creating awareness and desire for change.
- Change. Communicating and involving people, and
- Refreeze. Making new practices permanent.
The Change Control Process
Change needs to be well documented, controlled and authorised. This process is a structured way to manage modifications to a system or project. It’s designed to ensure that all changes are properly evaluated, approved, and documented before being implemented. The process typically starts with a formal Change Control Request (CCR) that outlines the proposed change, its purpose, and its potential impact. This request is then reviewed by relevant stakeholders to assess the risks and benefits as well as, wider communication. Once a decision is made, the change is implemented according to a controlled plan, and its effects are monitored to ensure it achieves the desired outcome without causing unintended problems.
Communication and Monitoring
For any cyber security to achieve its potential, it requires ongoing effective communication and monitoring. The implementation of controls is an organisational change that requires buy-in from all stakeholders. This change management approach ensures that new policies and procedures are adopted and become a fundamental part of the organisation’s culture, turning a static plan into a dynamic and living defence.
In an era where every organisation is a target, simply reacting to incidents is not enough. A proactive approach to analysing cybersecurity requirement, from identifying assets and assessing risks to adopting a formal framework and measuring your maturity, is essential. This process, driven by strong governance and a commitment to compliance, is the only way to build a resilient, effective, and sustainable cyber defence that protects your most valuable assets and ensures business continuity.