The Cybersecurity and Infrastructure Security Agency (CISA) provides a range of evaluation options that can be used to address vulnerabilities and protect systems. The concept of indexing performance areas refers to arranging the areas of activity based on their importance and input into the overall organizational work. In terms of security provision, it is critical to compare and contrast the areas of an organization to distinguish between the most vulnerable issues and corresponding measures to address them (Fisher & Norman, 2010). The assessment of risks is the first line of security since it allows for further information sharing, as well as restoration and recovery strategies. In addition, indexing performance areas is essential for identifying budgeting needs when funding opportunities are limited. It allows avoiding unnecessary spending through a proper initial assessment and subsequent planning of resources to be used.
The given list of performance areas can be improved by dividing it into cyber security and physical-related issues. On the one hand, there is a need to pay attention to cyber threats, which can be made by means of continuous vulnerability scanning. It implies evaluating static IPs, services, and external networks in general to generate weekly reports. The reviews of configurations of databases and servers along with response capability evaluation should be added to the given list. The surveys of cyber infrastructure would lead to a more elaborate threat identification and timely response. On the other hand, human-related threats should be evaluated separately to make sure that they involve human factors. In many cases, physical security and personnel security depend not only on the policies adopted in an organization, but also the way employees perceive and practice them (Fisher & Norman, 2010). Therefore, personnel’s training is one more area that should be included in the list. Accordingly, it can be linked with emergency planning and readiness exercises to achieve a higher level of employee engagement in ensuring security.
It seems to be significant to emphasize that information sharing is critical for both cyber and human-related security. While automated systems would share data regarding threat detection, vulnerability, and capability to address it, human resources can share sensitive information and work in cooperation to plan response actions. The combined system of information sharing seems to be the best choice to provide enhanced cybersecurity in the context of limited budget (Rehak et al., 2019). The benefits of such an approach involve transparency, flexibility, and inclusivity of the practices that would be developed based on the existing standards. However, one should also note that the current list of performance areas needs to be adjusted to meet the changing security needs.
The resilience of critical infrastructure elements can be recommended as another area of performance as it is called to determine the reliability of the practices and systems that are used in an organization. According to Rehak et al. (2019), resilience may be considered as a quality that decreases the vulnerability of the systems, enhancing their ability to recover. A complex approach suggested by the above authors implies evaluating resilience based on the ability of systems to recover after cyber-attacks and the robustness of their responses, which is consistent with CISA recommendations. This area should be included in both proposed lists as it concerns organization and technical issues. Thus, the list provided by Mr. Krebs should be extended to cover more areas of improvement, while all of its current elements are essential as well.
References
Fisher, R., & Norman, M. (2010). Developing measurement indices to enhance protection and resilience of critical infrastructure and key resources. Journal of Business Continuity & Emergency Planning, 4(3), 191-206.
Rehak, D., Senovsky, P., Hromada, M., & Lovecek, T. (2019). Complex approach to assessing resilience of critical infrastructure elements. International Journal of Critical Infrastructure Protection, 25, 125-138.