Earlier this week the Israeli CERT (CERT-IL) have issued a final draft for a "Civilian Corporate Cyber Protection Methodology." in this publish they are asking for comments before making this paper official, and releasing it. This 160-page long paper was written for providing a professional solution for the entire marketplace. The organization's protection plan derived from this document adapted to the extent of the body's dependence on cyber.
The central principle of which this defense doctrine paper was written is the organization as a whole recognizing that it is necessary to protect the continuity of the organization's functioning and to support its business objectives.
This concept is expressed in the document as follows:
A. Management Responsibility - The responsibility for protecting the information lies first and foremost with the management of the organization.
B. Protection Depending on the potential damage - the investment in the protection of each asset will be per its critical level to the functioning of the organization.
C. Defense based on Israeli knowledge and experience - the theory of defense enables the focus on the relevant risks to all
Organization and organization. As part of the activities of the National Authority for Cyber Defense, periodic intelligence audits and assessments are conducted to the economy. These actions enable organizations to target specific areas of the various defense circles.
D. Proactive protection - The security controls were defined with the understanding that the organization must invest additional efforts The passive defense. This is expressed through the definition of protective controls for the stages of prevention, identification, and reaction and return to routine.
E. Multilayered Protection - Protection is a process that combines three main components: people, technology and processes (3 P's - People & Products & Processes) Defense theory defines a defensive response that is required on all these levels.
The original published document can work in for any organization. Regardless the locale of your office, I think that the third concept, mentioned above (translated from the original paper) should be read "Defense based on LOCAL knowledge and experience." The intel and assessments which are applicable for Israel might not be right for India, Mozambique or Brazil. In an organization that it is multinational and the organization's CSO need to handle with cyber aspects in each country, it is important to pay attention to the local recommendations for each branch as it was it was the only location in the network.
There is nothing new there in this document that we don't know by now as it is based on NIST CSF (Cyber Security Framework). The ingenuity here is that this paper adjusting the standard and making it accessible to the Israeli market.