Changing priorities
EkaLore has released previously about the priorities and kinds of people needed to think about and prepare for a crisis. We’re going to discuss specific priorities and needs for utilities (public, private, and internal) as examples. The needs for utilities can be visualized while the same needs in complex enterprises will require even more preparation, expense, and time.
Action today: Put a meeting on the schedule to understand your management area’s responsibilities for data and network security. (i.e. who needs to know when a breach occurs, or credentials lost)
Planning and crisis process’ is always an additional time and expense over the resource budgets to execute operations. The lean running enterprise will always have immediate ideas that need tending to, daily operational needs to be met, and questions to be answered. EkaLore has previously written about what kinds of people should be assigned and tasks to get started.
A key priority change is dictated by government (law and regulation), industry (ability to work with peers and up/down supply chains), and critical stakeholders. Following more than 20 years of grinding committee work in the USA critical industries (critical infrastructure, which includes the finance, transportation and energy sectors) is under Federal Government mandate to report hacking in less than 72 hours and other actions within 24. Here’s the Federal specific guidance:
“Actions to Take Today to Protect Energy Sector Networks:
• Implement and ensure robust network segmentation between IT and ICS networks.
• Enforce MFA to authenticate to a system.
• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts.”
Information Technology managers need to provide management with specific project plans, resource assignments, budget, and priorities.
Executive management needs to have clear responsibilities, roles, and detailed plans (with backup people) for specific incident types. Who notifies and works with “authorities” (at many levels and agencies) is critical even for ‘small’ operations.
Operational managers need to have at least a detailed page of needs, immediate steps, and how critical business process work will get done (i.e. “who is responsible for making sure that chemicals, bio materials, and equipment is in a safe state”).
If you are management in a critical infrastructure company you should be able to understand each of the technical guidance lines from CISA – it should be affecting how you work every day. If that’s not true – get with the technology folks and make sure you understand the need for protection today.
And that’s just today. More in our next release.
Read our latest blog posts and more at www.ekalore.com/blog-1
Commentaires