By Joseph E. Fishel
We have moved into the second month of 2020. The groundhog Punxsutawney Phil should be predicting if we are going to have six more months of winter or an early spring. Last month, many of us made New Year’s resolutions. Losing weight, getting healthy and making more money seem to be common resolutions. What about departmental goals or resolutions? Windows 7 will no longer be supported by Microsoft. Have you decided how you are going to protect devices that still use Windows 7? This past year saw many vulnerabilities pop up requiring patching and identifying devices where patching won’t work. We have had to look at alternative ways to protect our devices. The year behind us was a major leap forward in cybersecurity. Yesterday is behind us and the only thing we can change is the future. So, are you preparing for the future?
We developed cybersecurity plans to prevent, remediate and address issues last year. How is that going? Have you reviewed it lately? Have you updated the dashboard? Have any of the standards changed? The Joint Commission, CMS, IMQ, AAAHC, NEC, NFPA, NIST,CIS CSC 12,OBIT 5, ISA 62443-2-1:2009, ISO/IEC, etc. have updates that came out at the beginning of the year. Make sure you take the time to incorporate these new updates into your various plans, policies and procedures. This prepares you for the year and new expectations that have to be met. This will also allow time to prepare for changes in areas that you may not have addressed previously.
Remember the red, yellow and green fields behind the standards in your cyberplan dashboard to identify where you are in your program? You may want to update these and look at what can be done to move toward all green. An example would be “Have you been able to identify further the software on the devices” requirement? If you did, make sure you update your dashboard to reflect the progress. Look over the dashboard and review your timelines on what is needed. Update your successes and delays as needed. Pick a few requirements to work on in the upcoming year. For things that are going to take longer, list out the tasks or things that might need to be done first. Develop a plan for this and put a standing time on your calendar each month to work on these each month. By doing that, and sticking to it, you will be surprised how much you will accomplish this year.
When you were addressing the multiple vulnerabilities in 2019 did everything work on your plan or were there some irregularities where the plan can be improved? Did all of the communication plans work? Did we miss anyone that should have been notified? Reviewing the program itself is important, especially if you used names and not titles. Are those employees still in the same positions? Do you need to update or expand the steps you identified as needing some work?
Assessing the event and correcting what didn’t work prepares you for the next go round. This is also a point where you can evaluate if IoT tools could have eliminated the time you spent in identifying which devices were vulnerable. Could they have provided mitigating controls to isolate the device and whitelist it? The hours/dollars spent are probably fresh in your mind to use for justification.
Are there fields of data that could make identifying affected devices easier? Did you have the data without the ability to sort it? An example would be a field that has the OS version with the service pack such as XP SP3. Sometimes trying to sort using words in a field doesn’t work well because someone didn’t insert a space or used lowercase letters or all capital letters or spelled it wrong. Have you started creating those fields and collecting data? Sometimes, we have to request assistance from outside our department and it can take time to get what is needed. So, start early.
Writing this reminds me that I need to get started on my program goals for this year.
