Interesting Stuff

Cyber Defense Doctrine – Managing the Risk : Full Applied Guide to Organizational Cyber Defense

admin

The purpose of the Defense Doctrine is to present to the Israeli economy an orderly professional method for managing cyber risks in the organization. Using the method presented in this document, the organization will recognize the risks relevant to it, formulate a defensive response and implement a risk reduction plan accordingly.

This document was authored by the Israel National Cyber Directorate for the purpose of promoting Cyber Defense in the Israeli economy. All rights reserved to the State of Israel – the Israel National Cyber Directorate

Organizational Cyber Defense Doctrine

Introduction: This document, authored by the Israel National Cyber Directorate (INCD), aims to promote cyber defense within Israel’s economy. It provides a comprehensive guide on managing cyber risks within organizations.

Executive Summary:

This guide includes the following steps to manage cyber risks within organizations:

  1. Categorizing the Organization:
    • Category A: Organizations with medium-to-low potential damage from a cyber incident.
    • Category B: Organizations with high potential damage from a cyber incident.
  2. Risk Assessment and Management Process:
    • Organizations must identify defense objectives, required defense levels, and existing defense gaps.
    • Afterward, they should create a work plan to mitigate these gaps.

Structure of the Defense Doctrine:

The doctrine is divided into two main tracks based on potential damage from cyber incidents:

  • Category A: A simple and quick process for mapping defense objectives and answering key questions, typically carried out with external support.
  • Category B: A more complex risk assessment process, including risk analysis, risk mapping, and strategy determination for risk handling.

Implementation for Category A Organizations:

  1. Stage 1: Activity Mapping
    • Identify digital assets and business processes vulnerable to cyber attacks.
    • Produce a list of assets to be protected.
  2. Stages 2 and 3: Risk Assessment and Strategy Determination
    • Adopt highly efficient defense requirements according to potential harm.
    • Use high-efficiency controls to reduce the likelihood of cyber incidents.
  3. Stage 4: Work Plan Development
    • Develop an annual plan to mitigate or transfer risks, including implementing processes and solutions such as periodic backup checks, laptop protection, end-point protection software installation, and employee training.
  4. Stage 5: Continuous Audit and Control
    • Periodically check the relevance and speed of the work plan’s implementation.

Implementation for Category B Organizations:

  1. Stage 0: Corporate Governance and Strategy
    • Establish governance supporting the risk assessment process (sometimes called ISMS – Information Security Management System).
    • Define roles and responsibilities within the organization.
  2. Stage 1: Demarcation of Activities and Risk Assessment Survey
    • Define the boundaries between the Chief Information Security Officer (CISO) and other functions within the organization.
    • Understand the organization’s strategy and how information and cyber defense fit into it.
  3. Stage 2: Risk Assessment
    • Identify, analyze, and assess risks using appropriate methods such as FAIR, OCTAVE, or ISO 27005.

Principles of the Defense Doctrine:

  1. Management Responsibility:
    • Management is primarily responsible for protecting the organization’s information.
  2. Defense from the Adversary’s View:
    • Defense recommendations and priorities should be based on common attack scenarios and their effectiveness.
  3. Defense Based on Israeli Knowledge and Experience:
    • The doctrine focuses on relevant risks for each organization, informed by periodic audits and intelligence assessments.
  4. Defense According to Potential Damage:
    • Investment in defense should be proportional to the criticality of the assets to the organization.

Risk Evaluation Methods:

  • Use calculators and professional studies to estimate damage costs.
  • Consider broader corporate responsibility aspects and long-term impacts of cyber incidents.

Tools and Methods for Continuous Control Implementation:

  • Provide tools and methodologies for continuous control and monitoring within the organization.

Source:
https://www.gov.il/en/pages/cyber_security_methodology_2

Download: https://www.gov.il/BlobFolder/generalpage/cyber_security_methodology_2/en/ICDM%20V2.pdf

Tags: BACKUP, CISO