OE21 Guideline: 6.2b 

Management of Information Systems

Protect organization from loss of sensitive information to outside sources

Strategic Objective:

Strategic Objective:

Ensure information management systems reliability, security & cybersecurity

Quality Objective:

Quality Objective:

Responsibility:

Lead: Operations Focus Team (OFT)  Support: Other focus teams

Strategic Objective:

Strategic Objective:

Approved by: (Name) Chair, Leadership Focus Team (LFT)

Approved: DD-MMM-YY

VALUE ADDED

1. Ensure reliability and availability of information systems (hardware and software)

2. Ensure security of information systems and the data they house

3. Protect information and assets by limiting cyber attacks and events

4. Minimize impact on the organization from cyber attacks and events

 

POLICY          6.0 COMMENTARY

The organization has adopted the Baldrige Framework Item 6.2b Management of Information Systems, and 7.1b(2) Emergency Preparedness Results as the internal policy, including the following sub-items:

 

6.2b(1) Reliability - The organization ensures the reliability of its information systems.

 

6.2b(2) Security and Cybersecurity - The organization ensures the security and cybersecurity of sensitive or privileged data and information, including management of electronic and physical data and information to ensure confidentiality and appropriate access, including:

  • Maintaining awareness of emerging security and cybersecurity threats;

  • Identifying and prioritizing information technology systems to secure from cybersecurity attacks;

  • Protecting information systems from cybersecurity attacks; and

  • Detecting, responding to, and recovering from cybersecurity breaches.

 

7.1b(2) Emergency Preparedness Results  - The organization tracks current and trends in key measures or indicators of the effectiveness of preparedness for disasters or emergencies (including cybersecurity breaches).

6.2b Flow Diagram (Figure 6.2b-1 Management of Information Systems)

6.2b Process Chart (Figure 6.2b-2 Management of Information Systems)

Inputs to 6.2b Management of Information Systems

  • Framework for Improving Critical Infrastructure Cybersecurity  (Latest Version from National Institute of Standards and Technology)

  • Internal organization tools for security and cybersecurity (if any are used)

Measurement and Analysis Tools and Techniques

Outputs from 6.2b Management of Information Systems

 

Case Study

  • Read the 6.2b Case Study

​​

Implementation Instructions

Key Decision: The OE21 focus team responsible for this standard should begin by deciding whether or not the OE21 standard adds value (on is non-value added) when compared to any existing standard, SOP, or process the organization uses now. The decision process is:

 

1. The focus team studies all Tasks and tools used in the OE21 standard.

2. The focus team answers the questions:

  • NON-VALUE ADDED? Does the organization currently use a standard, SOP process that is deemed as better or essentially as good as the OE21 standard? If YES, then the focus team should document that this standard is deemed as NVA, and then the focus team should proceed ahead to the next OE21 standard.

  • VALUE-ADDED? Does the organization currently use a standard, SOP process that is deemed as better or essentially as good as the OE21 standard? If NO, then the focus team should proceed ahead to complete the following OE21 Implementation instructions.

 

Note: The NVA finding will be used later in the OE21 Certification Audit process.

START IMPLEMENTATION

Task 6.2b-1 - Define Requirements for Reliability/Availability of Information Systems - The Leadership Focus Team (LFT) ensures the reliability and availability of the organization's computer (hardware) and the software used. The organization computers (hardware) are protected from power surges, power loss, water damage, fire damage, adverse weather (storms), unauthorized intruders, and other risks as specified in OE21 4.2 Information and Knowledge Management (Task 4.2.5). The organization software/program availability is ensured by the application of the practices listed in this same standard/task.

  • PROGRESS: You have reached Milestone 1 (good work). Input the status [18%] on the organization's OE21 Intranet Main page alongside the title of this standard.

 

Task 6.2b-2 - Study Framework for Security and Cybersecurity - The Leadership Focus Team (LFT) uses the Framework for Improving Critical Infrastructure Cybersecurity  (Version 1.0 National Institute of Standards and Technology, February 12, 2014), and applies the following cybersecurity definitions:

  • CYBERSECURITY - The process of protecting information and assets by limiting the occurrence of, detecting, and responding to attacks.

 

  • CYBERSECURITY EVENT - A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).

 

  • CYBERATTACK -  A cyberattack is any type of offensive tactic or maneuver employed by nation-states, individuals, groups, or organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. These can be labeled as either a cyber campaign, cyberwarfare or cyberterrorism in a different context. Cyber attacks can range from installing spyware on a PC to attempts to destroy the infrastructure of entire nations. [source: Wikipedia]

This framework is used as a self-assessment tool to enable the organizations to understand the effectiveness of its cybersecurity risk management efforts better, and to help identify strengths and opportunities for improvement in managing cybersecurity risk, based on the organization’s mission, needs, and objectives.

Table 1 shows the Function and Category Unique Identifies for the N.I.S.T. Framework for Improving Critical Infrastructure Cybersecurity. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.

I'm a paragraph. Click here to add your own text and edit me. It's easy.

Table 1 Framework for Improving Critical Infrastructure Cybersecurity

The Cybersecurity Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing detailed guidance for developing individual, organizational Profiles.

 

Through the use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.

NOTICE: If the Cybersecurity Framework is new to the organization, then it is advisable to seek outside assistance in learning the framework and how it should be applied. 

  • PROGRESS: You have reached Milestone 2 (good work). Input the status [36%] on the organization's OE21 Intranet Main page alongside the title of this standard.

 

Task 6.2b-3 - Conduct Cybersecurity Assessment - The Leadership Focus Team (LFT) uses the OE21 Cybersecurity Assessment tool to conduct regular assessments of the organization's cybersecurity readiness and compliance, by the N.I.S.T. Framework for Improving Critical Infrastructure Cybersecurity (N.I.S.T Cybersecurity Framework). 

 

The OE21 Cybersecurity Assessment web-based survey is conducted to capture the survey ratings and comments from the responders. Ideal responders include Information Technology (IT) managers and members of the Operations Focus Team (OFT).

  • OFT 6.2b Cybersecurity Assessment (survey)

 

  • OFT_6.2b_Cybersecurity_Assessment (.xlsx)

 

This spreadsheet assessment tool enables the organization to evaluate (at a high level) the extent that the organization meets the N.I.S.T Cybersecurity Framework. 

 

The Leadership Focus Team (LFT), supported by the Operations Focus Team (OFT) conducts the assessment. When completed, the OE21 Cybersecurity Assessment spreadsheet is uploaded to the OE21 Storage Space (Dropbox, or other cloud storage space used by the organization).

Figure 6.2b-3 OFT 6.2b Cybersecurity Assessment Dashboard (spreadsheet model) shows  example Dashboard Results from the 22-question assessment.

Figure 6.2b-3 OE21 Cybersecurity Assessment Dashboard

  • PROGRESS: You have reached Milestone 3 (good work). Input the status [43%] on the organization's OE21 Intranet Main page alongside the title of this standard.

Task 6.2b-4 - Create Process for Security and Cybersecurity Excellence - Based upon the results of the OE21 Cybersecurity Assessment, the Leadership Focus Team (LFT), supported by the Operations Focus Team (OFT) uses the ACI-Process Designer tool to create the process steps the organization will follow to meet the  N.I.S.T Cybersecurity Framework security and cybersecurity requirements including:

  • Manage electronic and physical data and information to ensure confidentiality and appropriate access;

  • Maintain organizational awareness of emerging security and cybersecurity threats;

  • Identify and prioritize information technology systems to secure the organization from cybersecurity attacks or breaches;

  • Protect data and information systems from cybersecurity attacks; and

  • Detect, respond to and recover from cybersecurity breaches.

  • OFT_6.1a_Process_Designer (.xlsx)

The Process Designer output is a new Cybersecurity Process Chart, with steps, responsibilities, and estimates of process time (Pt), and the estimated cost of the process. Over time, the Cybersecurity Process Chart Pt, Wt, and NVA estimates and cost will be updated based on experience.

  • PROGRESS: You have reached Milestone 4 (good work). Input the status [96%] on the organization's OE21 Intranet Main page alongside the title of this standard.

 

Task 6.2b-5 Update Operations Excellence Action Plan - The Operations Excellence Action Plan is updated to include any additional project tasks or other information necessary to meet the requirements and criteria specified in this OE21 Guideline and the N.I.S.T Cybersecurity Framework. The Leadership Focus Team (LFT) will review and approve these changes to the Operations Excellence Action Plan, and may also use the outputs of this standard to update the Strategy Plan.

 

  • OFT_6.1a_Operations_Excellence_Action_Plan (.xlsx) 

 

Task 6.2b-6 Input Cybersecurity Metrics into PMS - Unless the organization has its own Performance Management System, the OFT uses the Excel Workbook: 

 

  • OFT_7.1_PMS_Operations_Excellence_Metrics (.xlsx)

 

As a minimum, the OFT selects, input and tracks key measures for Security and Cybersecurity, including:

 

  • Number of Cyberattacks per Month

  • Cycle time from cyber attack until recovery of information systems and data

 

Task 6.2b-7 Use PMS to review Reliability, Availability and Cybersecurity-related Metrics

On a quarterly basis, the OFT with support from all focus teams uses the Performance Measurement System to monitor trends in cybersecurity initiatives versus goals. Normally these are updated quarterly, or when changes in conditions require updates. The OFT appropriate action to drive measures towards their goals. When goals are met, the OFT may raise the goals higher, as appropriate. See OE21 4.1 Task 4.1.5 for guidance.

 

Figure 6.2b-4 is an example Trend Chart and Action Plan for Cyber Attack Recovery

  • PROGRESS: You have reached Milestone 5 (congratulations). Input the status [100%] on the organization's OE21 Intranet Main page alongside the title of this standard.

Figure 6.2b-4 Trend Chart and Action Plan for Cyber Attack Recovery (example)