Home Features Reviewing Critical Infrastructure Information Governance Practices in the Aftermath of Recent Attacks

Reviewing Critical Infrastructure Information Governance Practices in the Aftermath of Recent Attacks

With the recent international attacks on electrical power infrastructure, the threat actor motives could be a timely opportunity for those with accountability in this critical sector to review their Information Governance (IG) programs.

SHARE
Power and Utility

There are necessary and important data security needs in the nation’s public sector critical infrastructure services, such as water and wastewater treatment facilities, transportation, chemical, and energy sectors. Data security is to protect against intelligence gathering, distribution, maleficence against integrity, industrial espionage, and special initiatives from the government programs to protect the country (Smallwood, R. F. 2020). Given the intimate connection between technology and critical infrastructure services, one must contemplate the effects of incapacitation and unavailability of these services to a country’s economy, safety, and public health. Technology is instrumental in contributing to providing critical infrastructure to a nation.  In essence, the physical production of critical infrastructures, such as power distribution, is vital to modern-day life, but in the current environment of cyberattacks, the information and data created, collected, disseminated, and monitored are equally significant.

By Stan Mierzwa, M.S., CISSP, Director and Lecturer, Center for Cybersecurity, Kean University

With the recent international attacks on electrical power infrastructure, the threat actor motives could be a timely opportunity for those with accountability in this critical sector to review their Information Governance (IG) programs. Similar to other such efforts that partake in steps of continuous improvements, an IG driver should not be considered static, but more of living energy.  To many, the idea of an IG program may seem vague – so as a brief reminder, IG programs include the ways an organization maintains its security, works to comply with regulations and laws in the respective industry, and maintains ethical standards (Smallwood, R. F. 2020).  As part of the effort, those organizations recently attacked should consider studying, or if unavailable, employing proper Information Governance strategies to help with the protection of data, as an invaluable asset. This effort will entail going back to the drawing table to study the legal and sector-related regulations, so that they are met, but more importantly so that they are exceeded! This focal action will include a process to employ tasks to help categorize the most critical and important information and data. Ensure to engage appropriate Information Governance policies that will help to enforce security-related information technologies, such as encryption, strict access controls, information rights management, digital shredding capabilities, auditing, and logging (Smallwood, R. F. 2020).  One other component often considered and approached with Information Governance procedures is to work towards efficient evolutionary enhancements.  Given the changing landscape of technology solutions being upgraded and implemented as part of new efforts or replacement products, it is critically important to review the security and possible unmet needs concerning cybersecurity.  It is often the case that when carrying out new solutions (hardware or software), one is eager to ensure everything is simply working and meeting the end-user and stakeholder needs. However, there must be an effort to review for deficiencies in security defense.

One other important element of an IG program involves properly managing data and the organizations’ records. Records in the power industry can come from many different and varied sources, and each of them can have the potential of providing a threat actor with access to valuable information that can be used against the power provider. ARMA International has published a set of eight critical principles that can be followed to stand-in an excellent recordkeeping operation. These “Principles” are referred to as the Generally Accepted Recordkeeping Principles and are associated with proper information governance framework (Smallwood, R. F. 2020).

During a crisis of a cybersecurity incident, it is natural to consider what ways to put in place technology layers to help defend against further such attacks. Such efforts are important and may certainly be necessary, however, as part of the de-briefing after attacks, it may be valuable for those with accountability to reach a level or two above the technology and consider the Information Governance, Data Governance and IT Governance approaches in place to set in motion changes to protect stakeholders.


References

  1. Smallwood, R. F. (2020). Information Governance – Concepts, Strategies, and Best Practices. Second Edition. John Wiley & Sons, Inc., Hoboken, New Jersey.
  2. Tallon, P. 2013. Corporate Governance of Big Data: Perspectives on Value, Risk, and Cost. IEEE Computer Society.
  3. ARMA International. 2017. Generally Accepted Recordkeeping Principles. As retrieved: www.arma.org/principles.

About Author

Stanley Mierzwa is the Director, Center for Cybersecurity at Kean UniversityStanley Mierzwa is the Director of, Center for Cybersecurity at Kean University in the United States. He lectures at Kean University on Cybersecurity Risk Management, Cyber Policy, Digital Crime and Terrorism, and Foundations in Cybersecurity.  He is a peer reviewer for the Online Journal of Public Health Informatics journal, a member of the FBI Infragard, IEEE, (ISC)², and a board member (Chief Technology Officer) of the global pharmacy education non-profit, Vennue Foundation. Stan holds an MS in Management with specialization in Information Systems from New Jersey Institute of Technology and a BS in Electrical Engineering Technology from Fairleigh Dickinson University, is also a Certified Information Systems Security Professional (CISSP).

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.