For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevSecurity AnalyticsHaystax Product Update: New Dashboard App04 November 2016NextSituational awarenessBay Area Agencies Rely on Haystax for Security Awareness During Oakland Raiders Games18 November 2016

Lessons From the Financial Sector’s Approach to Cybersecurity Regulation

November 9, 2016
Cyber security

In earlier blogs, (here and here) we discussed weaknesses of the new industrial insider threat program regulation, the National Industrial Security Operating Manual (NISPOM) Change 2. As the November 30 deadline for initial NISPOM 2 compliance approaches, it is an opportune time to contrast those weaknesses with the strengths of a recently proposed cybersecurity regulation for financial services firms.

The strengths of the cybersecurity regulation provide important lessons for policymakers to consider as they implement NISPOM 2 and try to compel companies to design effective programs, rather than to merely comply with minimal standards.

The proposed cybersecurity regulation, known as the Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards, was introduced on October 19 by the Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation. These agencies are considering applying enhanced cybersecurity standards to entities with total consolidated assets of $50 billion or more.

In this blog, I will highlight two important themes and how they are handled differently by NISPOM 2 and the enhanced standards.

Theme 1: Approach to Risk

The enhanced standards approach cybersecurity concerns holistically, by looking at the impact such damages may have on the financial system as a whole, not just on individual companies. The regulation is written from the perspective of the entire system, and how cyber threats from large companies might impact the functioning of this system. By providing such context, the regulation appeals to “common goals,” rather than individual mandates that do not consider the bigger picture.

NISPOM 2 is applicable to all companies with facilities clearances — large and small. The overseer of the NISPOM, the Defense Security Service (DSS), will evaluate the programs, but there is nothing in NISPOM  2 that addresses the impact one program might have on the other, or how each company might implement its insider threat programs in coordination with others and with the government. Such context could certainly help companies target the most effective use of their resources and show how they are contributing to the overall protection of classified materials. The focus on individual programs reduces such incentives, encourages waste and encourages a ‘check-the-box’ compliance approach to meeting minimum requirements with as little effort as possible.

Theme 2: Approach to Governance and Oversight

The enhanced standards are considering requiring that entities develop a written, board-approved enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm. Because the board of directors would oversee and hold senior management accountable for implementing the cyber risk management strategy, the enhanced standards are considering requiring the board of directors to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The enhanced standards talk a lot about how best to audit the cyber risk management profile and track results.

The recommendation that cybersecurity risk management is part of a company’s overall business strategy implies that cybersecurity is not just a ‘cost center’ but instead is an integral part of a company’s growth strategy and something that is not just for compliance, but could be leveraged to gain competitive advantage. Additionally, the enhanced standards acknowledge that governing bodies should be knowledgeable about cybersecurity — which implies that the governing bodies will understand the importance of cyber security and not treat it solely as a compliance issue.

In contrast, NISPOM 2 does not discuss how to best integrate an insider threat program into a company’s overall risk management program. It merely requires that an “Insider Threat Program Senior Official” be named to oversee and report results of program to DSS, and that this person be a “US citizen employee and senior official of the company.”

Implications

Clearly, the DSS — and stakeholder community — would be wise to adopt some of the approaches taken by the enhanced standards. As we’ve discussed in previous blogs, the weaknesses of NISPOM 2 stem from its focus on individual organizations, regardless of size, and its lack of emphasis on the importance of an overall holistic approach to risk. NISPOM 2 is a decidedly bottom-up, company-centric approach, rather than a top down, industry-centric approach. Providing this top-down framework and context as the enhanced standards propose to do might provide much more targeted and realistic requirements for individual organizations.

Tom Read is Vice President for Security Analytics at Haystax Technology.

 

Related posts