CYBER SECURITY POLICY
The Kayndrex Foundation is increasingly reliant on the availability of information and communications technology systems, as well as on the integrity and confidentiality of data. The uncertainty posed by possible cyber events to the Foundation is continuously shifting, with risky actors focusing on unpleasant intents, interruptions of business continuity and the unapproved acquisition of information for political, financial, or other intentions.
Recognising the multi-faceted and multi-disciplinary nature of cybersecurity and noting that cyber-events can simultaneously affect a wide range of areas and spread rapidly, it is imperative to develop a common vision and define a business-wide Cyber Security Policy.
The Foundation’s vision for business-wide cybersecurity is that we are resilient to cyber-events and remain safe and trusted globally, whilst continuing to innovate and grow.
This can be achieved through:
- Recognising our obligations to ensure the safety, security, and continuity of operations, taking into account cybersecurity.
- Coordination of our cybersecurity within the organisation to ensure effective and efficient internal management of cybersecurity risks, and
- All the Foundation’s stakeholders dedicating to further develop cyber resilience, protecting in contradiction of cyber-events that could affect the safety, security, and continuity of the organisation’s systems.
The Policy aligns with other cyber-related initiatives and coordinates with corresponding safety and security management provisions. The Policy’s aims will be achieved through a series of principles, measures and actions contained in a strategy built on seven pillars:
3. Effective legislation and regulations
4. Cybersecurity strategy
5. Information sharing
6. Event management and emergency planning
7. Capacity building, training, and cybersecurity culture
Cybersecurity and the Kayndrex Foundation are both infinite in nature. Both require cooperation at the national and international level and call for a mutual recognition of efforts to develop, maintain, and improve cybersecurity with the aim to protect the Foundation from all cyber risks to safety and security.
The Foundation’s cybersecurity needs to be harmonised at the global, regional, and national levels so as to promote global coherence and to ensure full interoperability of protection measures and risk management systems.
The Foundation is the appropriate environment to connect members in addressing cybersecurity in the international ecosystem. To this reason, the Foundation will organise, facilitate, and promote activities that serve as a platform for knowledge exchange between States, international organisations, and industry.
All the Foundation’s stakeholders are encouraged to support and build upon the Cyber Security Policy, to ensure the safety, security, and continuity of the Foundation’s operations.
The Foundation has developed clear governance and responsibility for its cybersecurity. The Foundation’s security experts are encouraged to ensure coordination for cybersecurity.
Furthermore, the Foundation has included cybersecurity in its safety and security programmes. To this reason, the Foundation has also included cybersecurity in regional and global plans and endeavour towards a common standard for cybersecurity.
Effective Legislation and Regulation
The principal aim of legislation and regulation on cybersecurity for the Foundation is to support the implementation of a comprehensive Cybersecurity Policy to protect the Foundation and its stakeholders from the impacts of cyber-events.
We ensure that appropriate legislation and regulations are formulated and applied, in accordance with the Foundation’s provisions, prior to implementing a cybersecurity strategy for the Foundation. Further development of appropriate guidance for members in implementing cybersecurity related provisions is necessary. To this reason, the Foundation is dedicated to creating, reviewing, and amending, as appropriate, guidance material relating to the inclusion of cybersecurity aspects to security and safety.
Relevant legal instruments should be analysed to identify existing or misplaced key legal provisions in corporate law for the prevention, action, and timely response to cyber-events so as to form the basis for consistent and coherent implementation of cybersecurity legislation and regulations in the Foundation. In the time being, stakeholders are encouraged to ratify the Foundation’s processes.
The Foundation has set up appropriate mechanisms for cooperation with ‘good faith’ security research, which is research activity performed in an environment designed to prevent affecting the safety, security, and continuity of the Foundation.
Cybersecurity has been included within the Foundation’s security and safety oversight systems as part of a comprehensive risk management strategy.
Recognising there are various risk assessment methodologies, priority should be afforded to the amendment and possible development of guidance material related to cybersecurity risk and likelihood assessments, with the aim to achieve comparability of the results of such assessments.
Across the Foundation, cybersecurity strategies consider the complete life-cycle of the business, and include elements such as: cybersecurity culture, promotion of security by design, supply chain security for software and hardware, data integrity, appropriate access control, pro-active responsibility management, improving agility in security and safety updates, as well as incorporating systems and processes to monitor cybersecurity relevant data.
The Foundation is a global system with many common practices and cyber-events can easily spread and have global effect. The objective of information sharing is to allow for prevention, early detection, and mitigation of relevant cybersecurity events before they lead to wider effects on the Foundation’s safety or security. A culture of information sharing will significantly moderate systemic cyber risk across the Foundation, the value of which has already been proved across th Foundation’s safety and security.
The sharing of information on aspects such as accountabilities, risks, events, and best practices, through established and trusted relations can moderate the effect of ongoing events. Appropriate information sharing mechanisms should be recognised, in line with existing Foundation’s provisions.
Event Management and Emergency Planning
There is a need, in line with existing event management mechanisms, to have appropriate and scalable plans that provide for the continuity of operations during cyber events. It is recommended that stakehodlers and the teams of the Foundation apply the existing contingency plans that are already developed and amend these to include provisions for cybersecurity.
Cybersecurity exercises are a valuable tool to test existing cyber resilience (The Foundation’s cyber resilience is its ability to prepare for, respond to, and recover from cyber events and security interruptions. Cyber resilience is key to operational resilience and business continuity, as well as the growth and flourishing of the Foundation, as we adapt to the necessities of operating digitally) and identify improvements and are therefore highly encouraged. Such exercises can follow novel formats (such as table-top exercises, simulations, or real-time exercises) and also vary in scale, (international, national, organisational).
Capacity Building, Training, and Cybersecurity Culture
The human element is at the core of cybersecurity. It is vitally important that the Kayndrex Foundation takes tangible steps to increase the number of personnel that are qualified and knowledgeable in both operations and cybersecurity. This can be done by increasing awareness of cybersecurity, as well as education, recruitment, and training. Innovative ways to merge and crosslink traditional information technology and cyber career paths with relevant professionals should be practiced.
The support and stimulation of skills development in existing and new responsible team(s) should lead to the fostering of cybersecurity innovation and appropriate research and design in the Kayndrex Foundation. Appropriate career-related training should be provided on a continuous basis to support personnel in their daily roles.
Cybersecurity could be included in the strategy for the next generation of professionals as the Foundation is well-placed to operate with States and industry to develop role-based competency requirements for its professionals.
The Foundation has established an enviable safety record which is founded upon a pro-active safety culture which is seen as everybody’s responsibility. The principles of this safety culture are to be applied to develop and maintain a cybersecurity culture across the Kayndrex Foundation.