Running Head: Comparing a Security Strategic Plan 1

Comparing a Security Strategic Plan

Student’s Name

Institution Affiliation

Date
Comparing a Security Strategic Plan 2

Part 1

The purpose of cybersecurity strategic plans is to give the management of a company

the appropriate information that they can use to be able to make informed decisions. Another

aim is to help the management focus on accomplishing its goals. Finally, the purpose of the

plan is to prepare the organization in case of a data breach. When a cyber-attack happens,

employees will be able to know what to do to deal with the attack and hoe to recover from it.

The purpose of a security policy is to help employees understand how to maintain the

security of data [ CITATION Kyo16 \l 2057 ]. Customers are also able to have confidence in a

company when they see the security policies that are put in place to be able to protect their

data. Customer satisfaction increases, and the business can grow. Employees may lose data

due to negligence [ CITATION Fay17 \l 2057 ]. The policies, therefore, can outline the

consequences that an employee might face when they violate them. It puts the employees in

check, allowing them to comply with the stated regulations fully.

The major components of a cyber-security strategic plan include the following.

First is the response when a security breach takes place. The plan comes up with

communication plans, protocols, and recovery plans. The strategic plan also includes ways in

which the company will integrate the cybersecurity measures into the organization. Finally,

the strategic plans include a section that will ensure regular assessment of the organization’s

systems to ensure that there are no future attacks and that the systems meet the standards that

are recommended by the government.

The components of a security policy should include the reason why the

organization came up with security policies. The components also include, who are under the

policy, including employees, managers, the technological equipment, and the line of business

where the policies will be applied. The policy also states the people who have the
Comparing a Security Strategic Plan 3

responsibility of implementing the policies. Finally, a significant component of a security

policy is the disciplinary actions that an employee would face if they violate any of the

policies.

The key stakeholders in making of a cyber-security strategic plan are the government.

The government provides standards that need to be met by all business owners regarding

cybersecurity[ CITATION Dar17 \l 2057 ]. Other stakeholders are the IT specialists, more

importantly, the Chief Information Security Officer. The management of a business is also

present when making a strategic cybersecurity plan. Another key stakeholder is the

employees. Employees need representation in the making of the strategic plans since they are

part of the team that is required for the plan to take effect.

The key stakeholders in a cyber-security policy are the business executives who

own the business. They allocate the funds that are useful for the implementation of some of

these policies. Secondly, is the legal department of the business. The legal department needs

to ensure that the policies meet the standards that are set in place by the government. In

public companies, the board of members is a key stakeholder. The board is responsible for

approving and reviewing the policies before they take effect in the company. The human

resource department is also a stakeholder since they have the responsibility of enforcing the

policies and disciplining those who go against them. The department decides whether there

was an employee had violated any of the policies. They also review complaints filed against

employees regarding the same. Finally, the procurement department is part of the

stakeholders. The procurement department is responsible for approving vendors. They,

therefore, have to ensure that online vendors comply with the policies put in place regarding

cybersecurity. Vendors that do not meet the policies are not allowed to trade with the

organization.
Comparing a Security Strategic Plan
Part 2
CIS Control
Inventory of Authorized and Unauthorized
Devices
Inventory of Authorized and Unauthorized
Software
Maintenance, monitoring, and analysis of
audit logs
Continuous vulnerability management
Controlled use of Administrative privileges
Email and web browser protection
Malware defenses
Data recovery capabilities
4
NIST Control Family
Access control for a mobile device. It
authorizes the connection of mobile devices
to the organizational information system
and prohibits the use of unclassified mobile
devices in facilities containing information
systems.
Least functionality. It defines the
frequency to review and update the list of
unauthorized software programs on the
information system.
Physical Access Control. maintains
physical access audit logs for organization-
defined entry/exit points
Vulnerability scanning. Employs
vulnerability scanning tools and techniques
that facilitate interoperability among
devices and automate parts of the
vulnerability management process by using
standards for enumerating software flaws.
Information system documentation.
Obtains user documentation for the
information system, system component, or
information system service that describes
user-accessible security
functions/mechanisms.
Media access. restricts access to
organization-defined types of digital and
non-digital media to organization-defined
personnel or roles
Information system monitoring.
Determine if the organization, for rapid
response to attacks by enabling
reconfiguration of intrusion detection tools
in support of attack isolation and
elimination, employs automated tools to
integrate intrusion detection tools into the
flow control mechanism.
Information system back up. Defines a
frequency, consistent with recovery time
objectives and recovery point objectives as
Comparing a Security Strategic Plan
CIS Control
Boundary defense
Data protection
Limitation and control of network ports,
protocols, and services
Penetration tests and Red Team exercises
Wireless monitoring and control
Implementing a security awareness and
training program
Application software security
5
NIST Control Family
specified in the information system
contingency plan, to conduct backups of
user-level information contained in the
information system.
System interconnections. Defines an
unclassified, national security system whose
direct connection to an external network is
to be prohibited without the use of an
approved boundary protection device.
Memory protection. Determine if the
organization defines security safeguards to
be implemented to protect information
system memory from unauthorized code
execution.
Access enforcement. Determine if the
information system enforces the revocation
of access authorizations resulting from
changes to the security attributes of subjects
and objects based on organization-defined
rules governing the timing of revocations of
access authorizations
Penetration Testing. Determines if the
organization defines information systems or
system components on which penetration
testing is conducted.
Identification and Authentication.
Determine if the information system
implements multi-factor authentication for
remote access to privileged accounts such
that one of the factors provided by a device
separate from the system gaining access.
Incident Response Training. Determine if
the organization defines a period within
which incident response training is to be
provided to information system users
assuming an incident response role or
responsibility
System security plan. Determines if the
organization develops a security plan for the
information system that provides an overview
of the security requirements for the system
Comparing a Security Strategic Plan 6

CIS Control NIST Control Family

Incident handling. Determine if the

organization employs automated
Incident response and management
mechanisms to assist in the collection of
incident information.

References
Alqahtani, F. H. (2017). Developing an Information Security Policy: A Case Study

Approach. Science Direct, https://doi.org/10.1016/j.procs.2017.12.206.

Galinec, D., Moznik, D., & Guberina, B. (2017). Cybersecurity and Cyberdefense: a national

level strategic approach. Journal for Control, Measurement, Electronics, Computing

and Communication, https://doi.org/10.1080/00051144.2017.1407022.

Min, K., & Chai, S.-W. (2016). An Analytic Study of Cyber Security Strategies of Japan.

International Journal of Security and its Applications,

https://doi.org/10.14257/ijsia.2016.10.10.05.