Latest Information Security Forum Report Examines How to Deliver an Effective Cyber Security Exercise
February 2019 by Security Forum Report
The Information Security Forum (ISF), the trusted resource for executives and board members on cyber security and risk management, today launched Delivering an Effective Cyber Security Exercise. This latest digest provides a structured approach for exercise controllers and facilitators to prepare, run and follow-up cyber security exercises.
Cyber security exercises can cover a range of tests or simulations, which are often based on cyber-attack scenarios. The scale, complexity, duration and scope of these exercises can differ depending on what the organization wants to achieve. Organizations can perform exercises in isolation or complete them as part of a wider program of cyber security testing. In many cases, ISF members find that running cyber security exercises as part of a wider program can reduce costs, improve efficiencies and support the application of lessons learnt across the organization.
“Cyber-attacks are commonplace in today’s world. They receive significant media attention and cause real damage to organizations. Performing cyber security exercises can help organizations improve their ability to detect, investigate and respond to cyber-attacks in a timely and effective manner,” said Steve Durbin, Managing Director, ISF. “Delivering an Effective Cyber Security Exercise highlights the key reasons that organizations choose to run cyber security exercises and the benefits of running them. The report will help our members to design cyber-attack scenarios and is supported by sample cyber security exercise playbooks that organizations can tailor to create their own.”
Cyber security exercises can test a range of targets, such as critical business applications supporting technical infrastructure or all systems in a particular location. Organizations can run these exercises for a variety of reasons, such as testing whether newly restructured business operations can withstand a cyber-attack, reacting to a newsworthy cyber incident, or complying with legal, regulatory or contractual requirements. Different individuals will be required to help prepare, run and follow-up a cyber security exercise, examples of which include:
SPONSOR – a sponsor is the individual or group of individuals who hold responsibility (and often budget) for the parts of the organization that will be tested during the cyber security exercise. A sponsor may be the CTO, CIO, a business unit manager or board member, and may champion a single cyber security exercise or a collection of exercises. While a sponsor will typically fund the exercise, they may not be directly involved, leaving most of the responsibility to the exercise controller or facilitators. Sponsors will typically agree objectives, review a report of key findings and approve action plans.
EXERCISE CONTROLLER – The exercise controller (often an information security manager or equivalent) oversees all aspects of the exercise, providing direction on behalf of the sponsor. While they may not facilitate the exercise on the day that they will help plan the exercise, delegate responsibilities to facilitators and liaise with internal and external stakeholders during the prepare and follow-up phases. The exercise controller should work with facilitators to develop a suitable set of actions and guidance to run the exercise effectively.
FACILITATORS – Facilitators are the individuals who coordinate the cyber security exercise on the day but are often involved in many aspects of preparation. They are responsible for:
• Running the exercise in line with objectives, while adhering to guidelines
• Delivering supporting ‘injects’ during the exercise to participants, shaping the narrative
• Recording key issues and evaluating performance of the participants
• Making sure the exercise runs smoothly, delivering maximum value
• Reporting back to the exercise controller during the cyber security exercise review
“Cyber security exercises are great, however, merely running a cyber security exercise is not enough. It needs to be based on thorough preparation, including designing cyber-attack scenarios, assessing operational constraints and building rigorous playbooks. If the results of the exercise are not used to create and implement comprehensive, achievable action plans, then it will only deliver limited value,” continued Durbin. “Performing cyber security exercises should be an integral part of any cyber security testing program. Organizations should investigate how running an effective cyber security exercise can significantly reduce the impact of cyber-attacks moving forward.”
Delivering an Effective Cyber Security Exercise is available now to ISF Member companies via the ISF website.