One of the biggest challenges facing veterinary practices is the lack of a cybersecurity strategy that addresses not only processes and technology but also people. Unfortunately, for most practice owners, ensuring these practices and procedures are properly maintained, a task that relies on an efficient governance model is not at the top of priorities when setting up cyber security protocols they should operate.
As numerous studies have shown, including the joint study from Standford University and the security firm Tessian, 85 percent of data breaches result from human error. Fortunately, veterinary practices can address these problems by following any of the 5 Cybersecurity governance and management frameworks outlined below.
1. National Institute of Standards and Technology (NIST) Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of guidelines and best practices for improving cybersecurity in an organization. It was developed by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, in response to a presidential executive order on cybersecurity.
The NIST Cybersecurity Framework consists of five core functions: identify, protect, detect, respond, and recover. These functions provide a structure for organizations to follow in order to improve their cybersecurity posture and manage cyber risks effectively.
1. The “identify” function focuses on understanding the organization’s assets, vulnerabilities, and threats. This includes identifying the types of data and systems that need to be protected, as well as the potential risks and vulnerabilities associated with them.
2. The “protect” function involves implementing controls and safeguards to prevent unauthorized access to assets and systems. This can include measures such as firewalls, antivirus software, and access controls.
3. The “detect” function involves implementing processes and technologies to detect cyber threats in a timely manner. This can include monitoring for suspicious activity, as well as conducting regular security assessments and penetration tests.
4. The “respond” function involves having a plan in place to respond to cyber threats when they occur. This can include incident response plans, as well as procedures for restoring systems and data in the event of a security breach.
5. The “recover” function involves implementing processes and procedures to ensure that the organization can return to normal operations after a cyber incident. This can include measures such as disaster recovery plans and backup systems.
Overall, the NIST Cybersecurity Framework provides a comprehensive set of guidelines and best practices for organizations to follow in order to improve their cybersecurity posture and manage cyber risks effectively.
2. International Organization for Standardization (ISO) 27001
The International Organization for Standardization (ISO) 27001 is a widely recognized standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving an organization’s information security.
The ISO 27001 standard specifies the requirements for an ISMS, including the development of policies and procedures for information security, the implementation of controls to protect information assets, and the regular review and assessment of the effectiveness of these controls. The standard also includes guidance on how to conduct risk assessments, as well as how to identify and prioritize information security risks.
One key aspect of the ISO 27001 standard is the concept of “risk treatment,” which involves evaluating the potential impact and likelihood of information security risks and implementing controls to mitigate or eliminate these risks. This can include measures such as implementing security protocols, conducting security training for employees, and implementing technical safeguards such as firewalls and antivirus software.
Organizations that implement an ISMS in accordance with the ISO 27001 standard are required to undergo periodic audits to ensure that their systems and processes are compliant with the standard. Certification to ISO 27001 demonstrates that an organization has implemented a robust and effective ISMS, and can be used as a benchmark for information security management.
3. Control Objectives for Information and Related Technology (COBIT)
Control Objectives for Information and Related Technology (COBIT) is a framework for managing and optimizing information and technology (I&T) in an organization. It was developed by the Information Systems Audit and Control Association (ISACA) and is designed to help organizations align their I&T activities with their overall business goals and objectives.
COBIT consists of five principles and seven enablers. The principles are designed to provide guidance on the overall governance and management of I&T in an organization, while the enablers provide a framework for implementing and maintaining effective I&T controls.
The five principles of COBIT are:
- Meeting stakeholder needs: This principle focuses on ensuring that I&T aligns with the needs and expectations of the organization’s stakeholders.
- Covering the enterprise end-to-end: This principle involves considering the entire organization when developing and implementing I&T controls.
- Applying a single, integrated framework: This principle involves using a consistent and cohesive framework for managing and optimizing I&T across the organization.
- Enabling a holistic approach: This principle involves considering the broader impact of I&T on the organization, including financial, risk, and resource implications.
- Separating governance from management: This principle involves establishing a clear separation between the governance and management of I&T in the organization.
The seven enablers of COBIT are:
- Principles, policies, and frameworks: This enabler involves establishing a clear set of principles, policies, and frameworks for managing and optimizing I&T in the organization.
- Processes: This enabler involves establishing a set of processes for managing and optimizing I&T in the organization.
- Organizational structures: This enabler involves establishing a clear organizational structure for managing and optimizing I&T in the organization.
- Culture, ethics, and behavior: This enabler involves establishing a culture of ethics and responsible behavior in the organization when it comes to I&T.
- Information: This enabler involves ensuring that relevant and accurate information is available to support the management and optimization of I&T in the organization.
- Services, infrastructure, and applications: This enabler involves ensuring that the organization has the necessary infrastructure and applications in place to support the management and optimization of I&T.
- People, skills, and competencies: This enabler involves ensuring that the organization has the necessary skills and competencies in place to support the management and optimization of I&T.
Overall, COBIT is a comprehensive framework for managing and optimizing I&T in an organization and is widely recognized as a best practice for IT governance.
4. Cybersecurity Capability Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model (C2M2) is a framework for assessing and improving an organization’s cybersecurity posture. It was developed by the National Institute of Standards and Technology (NIST) and is designed to help organizations understand their current cybersecurity capabilities and identify areas for improvement.
C2M2 consists of five maturity levels: Initial, Repeatable, Defined, Managed, and Optimizing. Each level represents a progressively higher level of cybersecurity capability, with the Optimizing level representing the highest level of maturity.
The five maturity levels of C2M2 are:
- Initial: At the Initial maturity level, an organization’s cybersecurity capabilities are ad hoc and reactive. There is little to no formal planning or coordination of cybersecurity efforts, and the organization relies on individual efforts to address cybersecurity issues as they arise.
- Repeatable: At the Repeatable maturity level, an organization has established some basic cybersecurity policies and procedures and has begun to coordinate its efforts across different departments and functions. While there is still room for improvement, the organization has taken some steps to establish a more formalized approach to cybersecurity.
- Defined: At the Defined maturity level, an organization has a more formalized and structured approach to cybersecurity, with well-defined policies, procedures, and processes in place. The organization has established clear roles and responsibilities for cybersecurity and has begun to implement more advanced security controls and technologies.
- Managed: At the Managed maturity level, an organization has established a mature and robust cybersecurity program. The organization has implemented advanced security controls and technologies and has established processes for monitoring and managing cybersecurity risks. The organization has also established a culture of continuous improvement and is actively seeking ways to optimize its cybersecurity posture.
- Optimizing: At the Optimizing maturity level, an organization has achieved a high level of cybersecurity capability and has established a culture of continuous improvement. The organization regularly reviews and assesses its cybersecurity posture and takes proactive steps to identify and address potential vulnerabilities.
Overall, the C2M2 framework provides a useful tool for organizations to assess and improve their cybersecurity posture and can help organizations identify areas for improvement and develop a roadmap for achieving a more mature cybersecurity program.
5. Cybersecurity Framework (CSF) from the Center for Internet Security (CIS)
The Cybersecurity Framework (CSF) from the Center for Internet Security (CIS) is a framework for improving an organization’s cybersecurity posture. It consists of five core functions: identity, protect, detect, respond, and recover. These functions provide a structure for organizations to follow in order to improve their cybersecurity posture and manage cyber risks effectively.
The CSF also includes guiding principles to help organizations implement the framework effectively, including the importance of adopting a risk-based approach, aligning cybersecurity with business goals and objectives, and ongoing improvement. The CSF is widely used by organizations of all sizes and industries and is regularly updated to reflect the latest best practices and trends in cybersecurity.
– Clint Latham