Corporate Cybersecurity plans must evolve.

• Author: Pankowski, Jacob
• Position: Ethics Corner

* President Barack Obama on Feb. 19 signed Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," and issued Presidential Policy Directive 21, "Critical Infrastructure Security and Resilience," which placed new emphasis on combating attacks on the nation's corporate and industrial sectors.

[ILLUSTRATION OMITTED]

The executive order and the directive outline a three-phased approach to cybersecurity: information sharing, privacy protection and enhanced, voluntary cybersecurity practices. While legislation will most likely be forthcoming to put additional "meat on the bones," the directive provides insight into the administration's viewpoint on the issue.

Both before and after it was issued, federal agencies put forth myriad agency and sometimes, contract-specific sets of standards and requirements to govern cybersecurity, including breach notification, audit access, screening of employees and penalties. Moreover, existing federal law in certain areas--such as financial institutions and energy--already has established robust network security requirements.

Making sense of these various contract, regulatory and policy requirements is a daunting task. If there is one takeaway from this exercise it is that companies, especially those designated as "critical infrastructure" under the executive order, must develop and/or refine their cyber-incident response plans.

Developing these plans requires an active buy-in from the company's senior management and full cooperation of information-technology and security departments.

Not uncommon is the failure to address both internal and external cyberthreats. All plans should provide employees with best practices for maintaining a secure environment. For example, passwords should be changed regularly. Plans should not only focus on preventing an attack, but also should assume that a breach has occurred, and develop protocols that help isolate and insulate a company's most treasured assets from intruders that have already bypassed exterior protections.

To meet this requirement, knowing and fully understanding the company's most important intellectual property and data--its "crown jewels"--is imperative.

In addition to U.S. cybersecurity standards, multinational corporations also face the challenge of compliance with the rules of different countries, along with the privacy requirements of those jurisdictions. Efforts have been made--especially by the European Union--at bringing greater...