This paper presents a discussion on the goals of the federal government officials as well as the rationale for decisions in the prior round. The principal goal of the federal government department in charge of cybersecurity is to provide a secure cyberspace in order to protect citizens, investors and government agencies against attacks and disasters (Barlas, 2004; Carswell, 2012; Norquist, 2004). When the cyber space is insecure, people become nervous and this could destabilize the economy (Carswell, 2012).
The following officials have the following roles:-
Chief Information Officer (CIO)
The CIO is tasked with coordinating and making decisions regarding 1) Authorized Software Policy, 2) Backup RAID Levels, 3) Database Security, 4)Remote Access Policy, 5) Systems Development Testing, 6) Training, 7) Training and Auditing, 8) Training Incentives, and 9) Virtualization or Cloud Computing. The CIO ensures that the decisions made support Profitability- ensure that cybersecurity is achieved in a manner that sustains viability for the future by maintaining expenditures within budget. He also ensures the decisions support collaboration between the federal government and private security agencies in order to implement cybersecurity measures effectively. In addition, he makes decisions in regard to training of employees and therefore he has to consider how to motivate his/her employees in order to maintain a highly productive workforce (Networking and Information Technology Research and Development program, NITRD, 2011). As a member of the CSC, the CIO makes decisions that are least concerned with profitability index but place emphasis on security indices and the minimization of system downtime and operation within the fiscal budget. Besides the CIO, other officials make decisions on behalf of the federal government. These are:-
Chief Program Officer (CPO)
The CPO is in-charge of 1. Business Continuity Planning 2. Emergency Bypass Policy 3. Breach Notification Policy 4. General Access policies 5. Hiring and Employee Policy 6. Information Privacy policy 7. Information Sharing 8. Information Sharing Policy 9. Physical Security. The CPO also supports the achievement of the federal government’s goals in terms of maintaining the cost to ensure the project implementation remains within a preset budget (profitability) (Norquist, 2004). He also offers guidance to ensure the decisions made towards cybersecurity are effectively achieved. The CPO also collaborates with private agencies as well as other agencies of the federal government security department to ensure all the goals are achieved (National Commission on Terrorist Attacks upon the United States (9/11 Commission), 2004).
Chief Financial Officer (CFO)
The Chief Financial Officer (CFO) is tasked with controlling the budget and the funding of the financial security measures. The decision categories under the direction of the Chief Financial Officer for this simulation are the following: 1) Advisories, 2) CERT Controls, 3) External Collaboration, 4) Federal Government Information Classification, 5) ISACs, 6) Other Responders, 7) Public Relations, 8) Research Funding, and 9) Supply Tools. By controlling the budget of the project, the CFO plays a crucial role in ensuring that the project remains economically sound in both in the short and the long term (National Institute of Standards & Technology, 2013).
Chief Information Security Officer (CISO)
The CISO makes decisions regarding 1. Antivirus Policy 2. Authentication 3. Data Encryption 4. DNS Redundancy 5. Firewall 6. IDPS 7. Load Management 8. Patch Management 9. Role Based Access Control. The CISO ensures the security of all the information that is gathered in an effort to increase cybersecurity. By offering security to information say from viral attacks, the CISO ensures that funds are not used in unbudgeted operations such as purchase of more antiviruses (Barlas, 2004). In case there is collaboration with other security agencies, the CISO limits access to crucial data by unauthorized personnel.
The roles of the Chief Information Officer and the rationale of his decisions in regard to the previous round are as follows:-
- Productivity Database Security- The CIO must decide on the frequency of changing the passwords to the database, the degree of separation of roles between the administrator and the operators, as well as enable or disable the Operating System (OS) services. Retention of database security operations and decisions with the CIO decimates the chances of unauthorized personnel accessing the database.
- Productivity Training- the funding for training shall be $50,000. This amount shall be adequate to cater for effective training and ensure that the project is fiscally viable.
- Productivity Training Incentives- the training incentives comprise an average compensation bonus of 100% of the fees to trainees. Upon completion of training, the promotion shall depend on the outcomes of the training. This is an effective way to motivate the trainees and encourage hardwork as they chase promotions.
- Productivity Remote Access Policy- Only the Executive management shall be allowed remote access while the access privileges shall be permitted as “low-read only”.
- Productivity Authorized Software Policy- The CIO makes decisions in-charge of software authorization. In this case, the CIO selected “approved software” in order to ensure safe and quality maintenance of the databases and other operational platforms. By choosing to evaluate the software policy bi-annually the CIO guarantee safe and effective operation and maintenance.
- Productivity Systems Development Testing- The CIO guarantees the intensity of quality assurance testing as well as the degree of reliance on external vendors.
- Employee Morale Training- The CIO shall ensure that employees are trained and motivated to undertake their work effectively.
- Employee Morale - Training Incentives- The CIO shall ensure that employees are offered incentives such as high compensation bonuses (100%) of the certification fees as well as linkage of their training outcomes to promotion in order to motivate them.
- Employee Morale Remote Access Policy- The choice to “focus on warnings” is informed by the fear that dismissal of employees may pose a security breach to hackers through leaked details. It also encourages employees to give their best by allaying some job security concerns regarding dismissal.
- Employee Morale Authorized Software Policy- As in the Remote Access policy above, the CIO shall choose to focus on warnings rather than dismissal in case of violation of some rules. After a couple of warnings the CIO shall then dismiss an employee. Besides giving employees some sense of job security, this move also ensures the safety of the software from hackings through leaked details by disgruntled employees.
- Employee Morale Systems Development Testing- The CIO shall involve employees in the comprehensive testing of systems developed by external vendors in order to increase trust, transparency, promote teamwork and encourage “in-house” development of solutions.
- Compliance Backup- the CIO shall be in charge of the Compliance Backup in order to ensure the security of the entire system with minimal chances of unauthorized access to the backup. Due to the multi-tenant nature of the virtual or could environment in which cybersecurity measures are implemented, security and back up is a paramount concern for the cybersecurity team in the recovery of data in case of a security breach or hacking.
- Compliance-Training and auditing- training of staff on compliance entails training them on how to adhere to the policies and laws that apply to cybersecurity. Compliance auditing entails reviewing and ensuring that the employees deliver on their work and that the organization as a whole achieves its goals. Auditing is effectively done by an outside body to ensure transparency and lack of double standards in the execution of the auditing mandate.
References
Barlas, S. (2004). “Mission: Critical”, Information Security, September 2004, Retrieved July 3, 2013 from: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art974,00.html
Carswell, A. (2012). Cybersecurity capstone simulation - introduction. Retrieved from University of Maryland University College website: http://tychousa5.umuc.edu/CSEC670/1306/9023/class.nsf/Menu?OpenFrameSet&Login
DHS, (2003, December 17). Homeland Security Presidential Directive 7: Critical infrastructure identification, prioritization, and protection. U.S. Department of Homeland Security. Retrieved from http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm
National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://govinfo.library.unt.edu/911/report/911Report.pdf
NIST 800-53. (2013, April). NIST Special Publication 800-53 Rev. 4: Security and privacy Controls for federal information systems and organizations. National Institute of Standards & Technology. Gathesburg, MD. Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.sp.800-53r4.pdf
NITRD, (2011). Networking and Information Technology Research and Development program (n.d.). Big Data (BD SSG). Retrieved from: http://www.nitrd.gov/subcommittee/bigdata.aspx
Norquist, B. (2004). SANs Institute InfoSec Reading Room: Governmental Effects Upon the Cyber Security Decision Making Cycle. Retrieved 3 July 2013 from http://www.sans.org/reading_room/whitepapers/modeling/governmental-effects-cyber-security-decision-making-cycle_1575
