Enterprise businesses run on software. There are many variables in application performance. One of them is simply availability: can your employees and users access your software and data when they need them. APM has much to offer here. So does information security.
The US National Institute of Standards and Technology (NIST) has published the “Framework for Improving Critical Infrastructure Cybersecurity.” Here we highlight some of the major points. In its introduction, they say:
“The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”
The document is a set of recommended standards and best practices to protect critical infrastructure, meaning computing systems for business, cellular and internet networks, the stock market, power plants, air traffic control systems, hospitals, and anything whose disruption would be catastrophic for the country. The framework is voluntary.
The framework starts by defining a common vocabulary, so people can talk about security incidents and planning in a way that everyone can understand. The rest of the document lays out reporting structures (command and control) and other information, which would be best handed over to auditors and those who are in risk mitigation to digest and work with executives to review and possibly implement. Much of the document is based on the COBIT 5 framework for Enterprise IT governance, so your organization probably would have some or much of that in place already.
The framework gives no technical details. Instead it is an outline for what people would call “governance.” Supplementation information can be found here.
Much of the document highlights the need to have security policies in place and assign roles and responsibilities and develop processes and procedures to manage IT assets. This includes items like having a change control process, make backups, have a disaster recovery plan, document an incident respond plan, and monitor networks.
In order to mitigate risk and plan for recovery, there is the need to make a complete inventory and define critical functions and how they are delivered. Programmers and architects will find all this boring to read, which is why companies have internal auditors. (Sorry if you are an auditor for criticizing what you do.)
It is not clear how one can say they have adopted the framework, as there is nothing like an ISOXXX certification offered. But since it is based on COBIT 5, ISO, and NIST standards, one could say they have adopted any of those. Having such certifications, of course, is important for one who hosts a data center, provides a service, or needs to comply with regulatory and financial (e.g. stock exchange) requirements as it helps with sales and, of course, security.