A company’s network and the cybersecurity implementation on that network require continuous monitoring and maintenance – just as a company would for any other piece of equipment. Maintenance of the cybersecurity implementation involves both periodic maintenance and incident response. The maintenance procedures and policies should be documented as part of a company’s overall cybersecurity plan, and compliance with these procedures and policies should be part of management’s oversight responsibilities.
When a cybersecurity problem is identified, incident or otherwise, the problem should be reported to the appropriate individuals responsible for oversight of network security. Immediate action should be taken to address any issue identified. The problem and the actions taken to address the problem should be fully documented.
Generally, most, if not all, of the software and hardware included in a company’s network and the equipment connected to the network is supplied by outside suppliers. There should be a contractual requirement with each of these suppliers defining their responsibility for immediately identifying any security vulnerabilities related to their products. The remedy to address these issues will vary depending on the complexity of the issue and the potential vulnerabilities to the company.
Tools used to monitor and maintain the network should also be continuously updated to provide detection for ever-evolving types of security threats. These tools should also be subject to significant scrutiny since they, too, can contain malicious code that can impact the network or contain a “back door” means to access the network. Security scanning of these tools and all vendor updates to equipment and software associated with the network and the cybersecurity implementation should be required before they are approved for use on the network.
The security plan should address detection, analysis, containment, recovery, and prevention from reoccurrence. It should also document how personnel respond when a cybersecurity incident is detected.
Obvious security incidents like equipment failure, ransomware, phishing, etc., should immediately be reported to the appropriate network security personnel. Additionally, network monitoring tools should be capable of detecting access control breaches, suspicious network traffic, detection and identification of new equipment connected to the network, and real-time scanning of all software running on the equipment connected to the network. Additionally, these detection systems should monitor and log all authorized access to the physical network equipment and, when possible, block all unauthorized access to this equipment.
Severe cybersecurity incidents are on the rise – especially ransom attacks. Many companies choose not to openly report such incidents, representing the issue to employees and customers as an equipment failure or major network failure. This is understandable since management’s responsibility is to protect the company’s reputation, customer relations, and personnel. However, information about the vulnerabilities that lead to these attacks and the actions taken to prevent a reoccurrence is very valuable to help other companies avoid such attacks. Companies are encouraged to report all attacks to authorities. The FBI and your state's attorney general are the best authorities to notify when a severe cybersecurity incident is detected. By reporting the incident promptly, you may gain valuable information to help resolve the incident and provide important information to help other companies avoid a similar attack. Suppose it is determined that an attack was caused by an unintentional action by an employee or service provider. In that case, it is important to address this with all employees and/or suppliers to minimize the chance of a repeat incident.
For more details on addressing maintenance and incident response relative to cybersecurity, you may want to reference Section 3.6 Incident Response, Section 3.7 Maintenance, and Section 3.14 System and Information Integrity of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection
Part 5: Identification and Authentication
Part 6: Activity Logging, Auditing, and Traceability
Part 7: Network Resource Configuration Management
Part 8: Communications, Network, and Database Security
Part 9: Personnel and Infrastructure Security
Part 10: Maintenance and Incident Response