Running head: Strategic Cybersecurity Risk 1

Strategic Cyber security Risk Management for Media Kind

Name:

Institution:
Strategic Cybersecurity Risk

Table of Contents
Strategic Cybersecurity Risk Management Plan 3
1 Mission statement: 3
2 Vision statement: 3
3 Introduction 3
4 Standard and Regulatory References 4
Information security management systems — Requirements (second edition) 4
5 Definitions 4
6 Conventions 5
7 Responsibilities 5
8 The Strategic Cybersecurity Risk Management Team 5
9 Cyber Risk Management Process 6
9.1 Risk Management Flow Chart..............................................................................................................6
10 Assets Identification 7
10.1 Hardware and Software Resources.......................................................................................................7
10.2 Additional devices..................................................................................................................................7
10.3 The processes involved in the service....................................................................................................7
10.4 Information assets..................................................................................................................................8
10.5 Network Assets.......................................................................................................................................8
10.6 Network interfaces and protocols..........................................................................................................8
10.7 The user groups.....................................................................................................................................8
11 Training 9
12 Constraints 9
13 Risk assessment 10
13.1 Threats.................................................................................................................................................10
14 Existing Controls 10
15 Vulnerabilities 11
16 Consequences 11
17 Analysis 12
18 Evaluation 12
19 Risk treatment 12
20 Risk acceptance 13
21 Risk communication 13
22 Post-production monitoring and review 13
23 Ranking system for security risk analysis 13
23.1 Probability of occurrence....................................................................................................................13
23.2 Severity.................................................................................................................................................14
23.3 Risk Priority Number...........................................................................................................................15
24 Sample table of Risk Priority Using Two Variable 15
25 Communication with the safety risk management team 16
Strategic Cybersecurity Risk

Strategic Cybersecurity Risk Management Plan

1 Mission statement:

Design and implement a cybersecurity risk management program for the organization for

adoption in the Company’s strategic plan.

2 Vision statement:

Cultivate a security-focused mindset into all our business assets and operations.

3 Introduction

From the earlier days, being in an environment that guaranteed the security of property and

human was vital. This concept was shielded by the existence of warriors who were tasked

with this critical responsibility. Their training goes without saying that they all had to

internalize the idea of securing the community or clan assets at all cost. However, with time,

assets and properties have shifted platforms and environments and have become digital. This

means that there are virtual assets that have become more important to secure, and their risk

and exposure has continued to increase every day. Depending on the value of the stored, Von

Solms, & Van Niekerk, (2013), argued that the digital value of the commodity, risk vary from

asset to asset and from entity to entity. These threats to assets originate from all the side

ranging from competition to malice and curiosity. Mediakind is one of the organizations that

rely on digital platforms in all its operations. This places it at an elevated risk level bearing in

mind the business it is in and the category of value it handles.

Mediakind is an entity that deals with media creation, gathering, processing, delivery, and

storage. This enables the platform to be able to avail customized media to its client anywhere

and anytime. The environment calls for the usage of various platforms that includes cloud

technology, the internet, and numerous hardware platforms that ensure that this is done

efficiently. The company has been able to develop a good relationship with its customers.

This
Strategic Cybersecurity Risk

is coupled with the numerous global awards and presentations the company has at its disposal.

Therefore, we can say that Mediakind has become a market leader in the media industry, and

this alone puts it to so much risk. On top of this, the company has also partnered with many

other entities to assist them in delivering their media content to the customers. Fortunately,

Mediakind can establish end to end connection anywhere at any time. To ensure continuity in

this rate of innovation and competitiveness, the company requires to understand that it holds a

precious position in the media industry and the global market and economy. Therefore,

ensuring that their infrastructures are perennially secured is a critical point as technologies

advances and threat increases. It will be necessary for Mediakind to assess its vulnerabilities

and ensure intruders will not be able to compromise their territories as this may be to bringing

serious consequences across the board. Luiijf, Besseling & De Graaf,(2013) argued that,

proper cybersecurity risk management plan is mandatory due to existing threats ratios. This

document, therefore, lays bare the strategic cybersecurity risk management plan for

Mediakind for efficient and secure infrastructure. This will also ensure their continued

dominance in the market field.

4 Standard and Regulatory References

# Document Identifier Document Title

1 ISO 27001
Information security management systems —
Requirements (second edition)

2 PCI DSS Pci Dss Documentation Toolkit

5 Definitions
According to Öğüt, Raghunathan, & Menon,(2011), cybersecurity risk is the potential of a

given threat to exploit a vulnerability of an entity asset or assets that will cause harm to an

organization.
Strategic Cybersecurity Risk

6 Conventions
Cybersecurity risk and Security risk are here deemed to have the same meaning I context and

application.

7 Responsibilities
In the earlier days of security risk management, small groups of IT staff would be tasked with

the responsibility of ensuring the entire information systems strategy works according to

expectation. However, modern operating environments are changing and demanding the

inclusion of much other personnel. This is in an attempt to come up with comprehensive and

exhaustive information pertaining entities risk position and possible vulnerabilities that can be

exploited and therefore come up with a mitigation plan.

8 The Strategic Cybersecurity Risk Management Team

Person Responsibility
Audit manager To input on various fraud cases that may

have been identified

QA Manager To liaise with employees for the availability

of services and quality as stipulated

System administrator To input on hardware vulnerabilities that

need to be addressed
Security analyst To Compile risks and vulnerabilities and

present a solution for discussion

Security architect To design a solution for identified risk

vulnerabilities
Security engineer Implement security solutions to protect

MediaKind
Operations Manager To avail responses and suggestion operating

the systems operating deficiencies and user

concerns
HR manager To coordinate and organize the team during

the meetings
Finance manager Together with the audit manager, they will
Strategic Cybersecurity Risk

Person Responsibility
give inputs about financial systems

vulnerabilities.
CISO To ensure that the agreed solutions have

been implemented to ensure business

continuity.

Therefore, the above Mediakind personnel will be tasked with the responsibility to steer the

strategic plan and elevate the current security levels to the required standards. This group of

people will also be responsible for making alterations and updates to this document to enable

responses to new threats and change in operating environments.

9 Cyber Risk Management Process

CyberSecurity management is a continuous process and therefore, it can be represented by the

below chart

9.1 Risk Management Flow Chart

Source: https://www.google.com

10 Assets Identification
For effective implementation of CyberSecurity plan, Disterer, (2013),advised that it is

essential to identify assets and establish their boundaries. In the case of MediaKind, the

following assets have been identified.

An asset is anything deemed of value to the company or the manufacturer of the asset.

10.1 Hardware and Software Resources

• The server Hardware
Strategic Cybersecurity Risk

• The server Software

• End-user applications

• End user nodes

Operations Environment

• Server Environment

• User Environment

• Intranet

• Extranet

• Web Access

10.2 Additional devices

Smartphone access

• Tv access

• Transmission channels

10.3 The processes involved in the service

o Media Creation

o Media Storage

o Media processing

o Media Transmission

o Internal processes

o Customer service

o Cloud Services

10.4 Information assets

o Multimedia Data

o Configuration data,

o Logs files
 Strategic Cybersecurity Risk

10.5 Network Assets

o Wifi, adapters,

o Connectors

o Routers

o Switches

o NIC cards

10.6 Network interfaces and protocols

o HTTP, UDP, TCP

o Network Ports

All these assets are essential to the organization and shall be secured to the maximum possible

level. They form the operating environment and therefore, core to the sustainability of the

entity operations.

10.7 The user groups

o Internal users

o Client users,

o Administrators

o Managers

o Customer service personnel

11 Training
Research by Boyce et al. (2011) commended continuous and regular updates of user

knowledge of the current information systems and the risks they are associated with their use.

Due to a varying degree of knowledge and areas of expertise, members will be given a

mandatory training session in selected places. This will ensure that they gather required

experience in cybersecurity and avoid exposing themselves and the company at large.

However, refresher courses and training will be offered for those users who are vital in
Strategic Cybersecurity Risk

implementing the strategy. In so doing, users will be required to take responsibility for their

actions in case of breach due to user negligence. These training will be focusing on a few

attack trends and techniques.

In this case, all administrator in the class of super users will be required to attend a refresher

or advancement course monthly in the field of cybersecurity. Super users will include

Information Systems staff and all managers in MediaKind. This knowledge and expertise are

expended to be shared amongst other staff members due to new threats and discoveries.

12 Constraints
Data will be made available through internet technology as well as dedicated and private

networks. This will be ensured by ensuring network redundancy and backup media in the

cloud facility. Risk IT Framework for Management of IT Related Business Risks. (n.d.),

acknowledged, to ensure maximum security of the assets, users access levels and access rights

will be awarded on least knowledge basis. More clearance will be given on demand. This will

include access to server rooms, both in-house and on the cloud platform. However, the CISO

and the all network security personnel will be granted Administrative rights to be able to

reset/override and revise user access levels. This is to enable detection and immediate

correction of animalities during operations. However, we will establish a continuous

relationship with all hardware and software manufacturers to maximize our security with

patches and updates. This will also ensure that we continue to receive documentation on

operating these assets to the optimum capacity.

13 Risk assessment
This document therefore sets the standards for risk identification, analysis and evaluation to

meet the objectives of the process and also to rank priorities on systems and risks.
Strategic Cybersecurity Risk

In case of any security occurrence, a preliminary assessment will be conducted by the security

group committee to review the overall status of the security in the organization. This will also

assist in evaluating immediate response actions before the threat is contained and eliminated.

13.1 Threats
Threats are entities or activities that are likely to cause damage to our assets. In the case of

Mediakind, we have identified the following as our threats:

• Criminal organizations (Black hat hackers)- these may compromise resource integrity

and therefore cause loss of an unknown volume.

• Inexperienced users- This is a primary consideration, and this is why the

organization will conduct continuous refresher courses to update skills and possibly

improve performance.

• Natural events- The cause of these events cannot be controlled, and the remedies will

include backups strategies and redundancy plans. This will ensure services will

continue being offered to our customers without interruptions.

14 Existing Controls
Due to evolving technologies and threats in the past, MediaKind has various security plans in

place. However, modern attack techniques and the level of the business competitiveness has

forced the company to have a proper procedure to be followed in this process. The company

has in place firewalls, registered antivirus software, user policies, and usage monitoring tools.

We have also been monitoring our networks and ensured that all our data leaving and coming

to our assets is fully encrypted using asymmetric encryption methods. This has helped

significantly to reduce risk, but a strategic approach has become fundamental.

With effect to this, these methods have been affective, and due to budgets allocations for the

departments in the past, they have played a significant role. But it has been observed that they

are not able to continue serving the company properly. Therefore, it has been recommended
Strategic Cybersecurity Risk

that a more exhaustive process be put in place that will identify assets and assign priorities of

risk and approach techniques.

15 Vulnerabilities
From a past evaluation, the company is vulnerable due to various factors. It has been noted

that many users have not been changing their passwords as required, and some have been

recording them on physical objects. It’s also worth noting that email scanners have not been

working most of the time and this has placed the company assets at considerable risk.

With assessment conducted and reported, servers have not been updated regularly.

On the corporate angle, we have outgrown many of our competitors and attained a global

image. This has increased risk and made us vulnerable to attacks from all aspects. Our

services also are superb, and many would want to steal our technologies to further their

business ambitions. We have also noted that internal threats make us more vulnerable to

attacks and therefore, we call our people to report any issue that may raise concern on system

usage.

16 Consequences
With this in mind, we wish to regret the unexpected case where we do not implement this

strategy. This because the damage may be disastrous and irreversible. In such a case, we will

lose our credibility to do business with both our strategic partners and our customers.

Therefore, we call for proactivity in all corners of the organization to ensure the sustainability

of the business. A study conducted by Liu, Xiao, Li, Liang, & Chen, (2012) advised that all

information pertaining our Assets, vulnerabilities, threats, current controls, and consequences

should always be recorded in the security risk assessment report and we wish to conform to

this great idea.

 Strategic Cybersecurity Risk

17 Analysis
In this process, all risks will be ranked according to their likelihood of taking advantage of a

vulnerability and the impact they can cause in the entity Shen, (2014), This will also take note

of the data collected in the assessment stages. The respective departmental head will be

required to provide an analysis of possible impact in the departments to be able to prioritize

and take measures accordingly. The results of this stage must be recorded in the risk

assessment report.

18 Evaluation
The RPN (Risk Priority Number) will be extracted from the acceptance criteria, as stated in

section 18 below. This will also include legal implication and regulatory requirements in case

of a security occurrence. The results of the stage will be recorded, as well.

19 Risk treatment
According to Martin, & Kung, (2018), risk treatment is the process that is used contain a risk.

Due to the category of business that MediaKind is in, all risks will be treated in different

ways, which will include one or more of the following:

1. Modification or control- This will employ the following order of approach

2. Retention,

3. Avoidance,

4. Sharing.

Vulnerabilities and impacts on our end customers due to risk treatment will be a primary

consideration.

20 Risk acceptance
This will be conducted using raking criteria in section 21 and consider the risk treatment plan.

It will mean that risk will be accepted if there is justification to override the acceptance

criteria.
Strategic Cybersecurity Risk

21 Risk communication
The assessment report will be communicated to all stakeholders inside and outside the

organization to update and inform on progress and expectations.

22 Post-production monitoring and review

To keep track of our systems security status, a Risk Management File (RMF) will be reviewed

and updated when:

• Services are updated,

• Resources are changed (Assets, vulnerabilities, and threats)

• Post marketing information triggers- This will be conducted quarterly, and

reviews will always be documented in RMF. This may involve reevaluation of the

ranking system and updates where necessary.

23 Ranking system for security risk analysis

The section gives the guidelines on allocation of priority levels based on the characteristics

Probability of occurrence,

• Severity of impacts

• Additional criteria

23.1 Probability of occurrence

Level Description Probability of Occurrence(P)
6 Occurs weekly High probability
5 Occurs Monthly High probability
4 Could occur weekly Moderate probability
3 Could occur once a year but not Low probability

known
2 Has never occurred but likely to low probability

occur once in a device lifetime

1 Can happen but only in extreme Very low probability

circumstances
Strategic Cybersecurity Risk

23.2 Severity

Level Description Severity

5 Affects data confidentiality and causes a huge Catastrophic

amount of data loss

Threatens organizational competitive advantage

4 Significant loss of data integrity. Critical

Threatens the company’s strategic partners.

3 Causes some loss of data integrity. Moderate

Affects end-user customers

2 May cause limited disclosure of non-sensitive Minor

data.

Causes budgetary overruns

1 Causes Non-sensitive data disclosure Negligible

No cost implications

23.3 Risk Priority Number

MediaKind will be using the following formula to calculate RPN.

Risk priority number = probability of Occurrence * Severity

Sample RPN Table

24 Sample table of Risk Priority Using Two Variable

TABLE OF RISK PRIORITY NUMBER

Negligible Minor Moderate Critical Catastrophic

1 2 3 4 5
6
6 12
18 24 30
Acceptable Tolerable
 Strategic Cybersecurity Risk

5 10 15 20 25
Frequent
Acceptable Tolerable Not-Acceptable Not-Acceptable Not-Acceptable
5

4 8 12 16 20
Probable
Acceptable Tolerable Not-Acceptable Not-Acceptable Not-acceptable
4

3 6 9 12 15
Occasional
Acceptable Tolerable Tolerable Not-Acceptable Not-Acceptable
3

2 4 6 8 10
Unlikely
Acceptable Acceptable Tolerable Tolerable Tolerable
2

Very
1 2 3 4 5
Unlikely
Acceptable Acceptable Acceptable Acceptable Acceptable
1

25 Communication with the safety risk management team

Continuous communication between the strategic team and the safety risk management team

will be established and guarded Zhou, & Hu, (2008).

When a case of security breach has occurred, the information shall without fail to be reported

the person communication officer.

 Strategic Cybersecurity Risk

References
Boyce, M. W., Duma, K. M., Hettinger, L. J., Malone, T. B., Wilson, D. P., & Lockett-Reynolds, J.

(2011, September). Human performance in cybersecurity: A research agenda. In Proceedings

of the Human Factors and Ergonomics Society annual meeting (Vol. 55, No. 1, pp. 1115-

1119). Sage CA: Los Angeles, CA: SAGE Publications.

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management.

Hahn, A., & Govindarasu, M. (2011). Cyber attack exposure evaluation framework for the smart grid.

IEEE Transactions on Smart Grid, 2(4), 835-843.

Liu, J., Xiao, Y., Li, S., Liang, W., & Chen, C. P. (2012). Cyber security and privacy issues in smart

grids. IEEE Communications Surveys & Tutorials, 14(4), 981-997.

Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies.

International Journal of Critical Infrastructures 6, 9(1-2), 3-31.

 Strategic Cybersecurity Risk

Martin, Y. S., & Kung, A. (2018). Methods and tools for GDPR compliance through privacy and data

protection engineering. In 2018 IEEE European Symposium on Security and Privacy

Workshops (EuroS&PW) (pp. 108-111). IEEE.

Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: Public policy

implications of correlated risk, imperfect ability to prove loss, and observability of self‐

protection. Risk Analysis: An International Journal, 31(3), 497-512.

Risk IT Framework for Management of IT Related Business Risks. (n.d.). Retrieved from

http://www.isaca.org/knowledge-center/risk-it-it-risk-management .

Shen, L. (2014). The NIST cybersecurity framework: Overview and potential impacts. Scitech

Lawyer, 10(4), 16.

Susskind, N. G. (2014). Cybersecurity Compliance and Risk Management Strategies: What

Directors, Officers, and Managers Need to Know. NYUJL & Bus., 11, 573.

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers &

security, 38, 97-102.

Zhou, Z., & Hu, C. (2008). Study on the e-government security risk management. International

Journal of Computer Science and Network Security, 8(5), 208-213.