It's Not Just Changing the Password: Cybersecurity in the High Court

Also available at Epub

Summary

Recently, the High Court was the target of a hack, demanding an urgent review and strengthening of its cybersecurity measures. Clarice, an intern at the Office of Organizational Process Management, took on the responsibility of conducting a comprehensive research on cybersecurity and presenting a report with solution proposals to mitigate the risks faced to support strategic decisions to reorganize the Court. This scenario provides an opportunity to discuss the fundamentals of information security, explore strategies to minimize cyber risks without harming the productivity of organizations, and examine the challenges faced by senior management when implementing security controls in crucial business processes and risk management, inviting the reader to reflect on the gaps that may exist between best practices and those actually adopted in the field of security cybernetics. By contextualizing the situation in the Brazilian Superior Courts, it seeks not only to highlight the importance of this discussion, but also to raise awareness of the complex interaction between cybersecurity, operational efficiency, and organizational culture.

Keywords: Cyber Security, Court of Justice, Hacker Attacks, Case Management, Risk Management.

Abstract

Recently, the Supreme Court has been the target of a hacker attack, demanding an urgent review and strengthening of its cybersecurity measures. Clarice, an intern at the Organizational Process Management Office, has taken on the responsibility of conducting thorough research on cybersecurity and presenting a report with proposed solutions to mitigate the risks faced in order to support strategic decisions to reorganize the Court. This scenario provides an opportunity to discuss the fundamentals of information security, explore strategies to minimize cyber risks without compromising organizational productivity, and examine the challenges faced by senior management in implementing security controls in critical business processes and risk management. This case invites the reader to reflect on the gaps that may exist between recommended practices and those actually adopted in the field of cybersecurity. By contextualizing the situation in Brazilian Supreme Courts, the aim is not only to underscore the importance of this discussion but also to raise awareness of the complex interaction between cybersecurity, operational efficiency, and organizational culture.

Keywords: Cybersecurity, Judiciary, Hacker Attacks, Process Management, Risk Management.

Legal Paths: Clarice's Journey in Court

A business administration student, in one of the Process Management classes, Clarice became interested in the theme of Business Processes, in particular, because of the relevance that quality control by work processes can have in the reality of an organization. As she had not yet had her first internship experience, she looked for one in which she could develop her skills in this area or related area. In this search, she found an unusual opportunity: to intern at the Office of Organizational Process Management of one of the 5 Superior Courts of Brazil (BRASIL, 1988), assisting in the mapping and improvement of the Agency's business process flows.

Upon entering the Court, Clarice had her expectations largely exceeded when she realized the technological innovations that permeated the environment. It was a true glimpse of the future of the judicial system towards its Digital Transformation. Among the novelties, she noted the adoption of video calls for holding hearings, which, in her perception, made justice more accessible and agile.

In addition, the electronic process, with all its digitized phases, from the petition to the completion of the process, indicated a significant change in the way bureaucracy was faced. And, to top it off, the remote service through the "virtual desk" showed that the Court was truly embracing digital transformation to better serve the population.

Clarice was excited to dive into this innovation landscape while assisting in mapping business process flows. Her internship promised to be an exciting and learning-filled journey into the heart of the Brazilian judicial system.

In her first days of internship, Clarice's supervisor held a Onboarding , in which he presented some documents about the organization, among them, the organizational chart of the Superior Court, which highlighted all the main areas and departments. In addition to the organizational chart, she was presented with the Value Chain, which highlighted the main macro processes carried out to achieve the organization's objectives and results.

From the review of the materials passed on by her supervisor, Clarice was able to verify some characteristics of the Court, among them: the judges who work in the Court are called ministers and all of them are appointed by the president, upon prior approval of the Federal Senate. In addition, the cases that are judged there either begin directly in the Court or review decisions of the state and federal regional courts (TRFs), that is, they judge final and important appeals in judicial proceedings.

In addition, Clarice had some doubts related to the Court's Value Chain regarding which would be the business macro processes that stand out as finalistic, since the Value Chain encompasses many macro processes, such as: the receipt and distribution of processes, analysis and reporting of processes, production of decisions, judgment, judicial processing and execution of notarial acts and compliance with orders and decisions.

Based on this, she decided to schedule a meeting to resolve them with her supervisor, Fernanda, who explained to her that the macro processes related to the preparation of orders and decisions are considered to be finalistic for the organization, because they are executed directly by the magistrates.

From this conversation with Fernanda, Clarice understood a little more about the structure of the Court and the macro business processes that she will work on throughout her internship.

Beyond the Walls: The Cyber Invasion and Data Leak

In the midst of this world of new information and expectations, an event shakes up the progress of the court: a cyberattack on one of the systems used by the Court. It was the system used for communication between the court and the parties to the proceedings (lawyers and parties to the case), containing some tools such as research on procedural consultation and provision of general information, such as access to the collection and frequently asked questions. In addition, within the agency itself, the same system was used as a tool by employees to move the processes, that is, the jurisdictional provision went through this system.

When the attack happened, employees did not know very well what was happening, as the system was only unavailable. However, as time went by and the situation did not normalize, rumors about the attack began to spread, and an air of distrust and fear set in, because, in addition to the stress of not being able to complete their work, there was an uncertainty of what would become of the system now.

Later, it was found that the system had its limitations and vulnerabilities, and it was through one of them that the attacker managed to infiltrate it, gaining access to confidential information¹.

However, instead of appropriating the information directly, the attacker deployed a specific type of attack known as a 'Ransomware' . This type of attack is characterized by the use of malware, which encrypts all data on compromised computers and servers.

Afterward, the attacker demanded a ransom in exchange for the decryption key needed to recover the information. It is important to note that, according to Brazilian law, there is no legal support for the payment of ransoms in cases of attacks of this type.

This caused instability in the system, causing it to be offline for a certain time, which delayed the processes and established a general insecurity in the court. In the midst of this situation, Clarice found herself lost in her first big problem in court. Not knowing how to proceed, she turned to the internet. There were 103.16 billion attempted cyberattacks in 2022, this was the data collected by the FortiGuard Labs , which Clarice found while researching information security and cyber attacks. Clarice also had her work affected by one of these attacks, since she uses the hacked system. Now both she and the court will have to face this new reality and try to solve this situation, minimizing the consequences and rethinking the security of information within the court so that the same situation does not happen again.

The impact was great! What now?

At the High Court's Office of Organizational Process Management, the routine gave way to a whirlwind of chaos and worry following the devastating hack... The consequences were frightening and immediately visible on several fronts. The security systems were insufficient in their functions, leaving crucial information exposed. A series of incidents cascaded in, shaking the essence of the justice that the Court represented.

Miguel, the head of the Office of Organizational Process Management, and his team quickly realized the consequences of the attack. The information needed for the decision-making process in the data supply chain has changed, leading to confusion and uncertainty among judges.

Some of the secret processes were also exposed, causing widespread outrage and concern. In addition, in an investigation into the incident, it was found that the hackers had early access to determinations and decisions in progress, even without modifying them, putting the credibility of the judicial system in check. Decisions that could shape the future of important cases were compromised.

The jurisdictional provision was interrupted, with the systems paralyzed by the cyber attackers. The Court was vulnerable, and all the efforts of the Office of Organizational Process Management seemed insufficient in the face of this virtual threat.

The hacker attack triggered a race against time to restore the systems and the integrity of the Court's image. In time, palliative measures were implemented to contain the immediate impacts. However, the damage left by this act was profound, and the journey towards full recovery was just beginning. Now, in addition to recovery, the focus was on improving safety and processes, going beyond the emergency solutions already implemented.

Efforts to reverse the impacts of this unprecedented attack were just beginning, and each member of the Court knew that their commitment and dedication would be crucial to protecting the integrity of the Court and ensuring that justice prevailed.

Nevertheless, Clarice was insecure and anxious, not knowing what she could do in the face of the scenario that was presented to her. In view of this, she requested an alignment meeting with her supervisor to understand what would be the best way to help the Firm implement solutions to emerging problems.

Clarice : Fernanda, I'm a little apprehensive about this meeting. The situation after the hacker attack has left us all worried.

Fernanda (supervisor) : The attack was really worrying, but that's why we need to strengthen ourselves even more. I want you to focus on an important task... As an intern at the Office of Organizational Process Management, I would like you to conduct a survey together with Rodrigo, one of the managers of the Office of Process Management, to raise possible guidelines focused on increasing the security of the Court's business process flows. To do this, also consult the technology team, which can help you better understand the challenges.

Clarice : I will strive to carry out this research. I hope that it can contribute in some way to future actions for the improvement of processes.

Fernanda : Exactly, Clarice. I fully trust your ability and know that under Rodrigo's mentorship, you will both bring valuable ideas with the potential to improve our processes. Research best practices in cybersecurity, explore technologies, Frameworks and, if necessary, consult with the staff of the IT Secretariat.

Given these directions, Clarice was excited about the demand that was assigned to her and the opportunity to generate such a relevant impact in her first internship together with one of the managers. With this, a research of alternatives was initiated to try to find out how the organization can better structure itself to face this type of cyber risk, based on a research that explores both how to create a prevention strategy and how to increase the security of the court's process flow

Information Security: An Overview

To fulfill the demand that was passed on to him, Rodrigo delimited the steps that the two would go through to do the research, Figure 1.

In the first stage, "Bibliographic Research", Clarice was responsible for identifying some relevant topics to prevent future hacker attacks on the Court. As she identified these themes, Clarice recorded them in a report, so that it could later be presented to Fernanda, her supervisor, and Miguel, head of the Office, consolidating the results of the stages delimited for the research.

Inspired by her work in the public area, she decided to start with what is said in the law, more specifically what the LGPD, General Data Protection Law, says about information security. However, after analyzing the law, she discovered that there is no specific method recommending, the law only mentions that there must be adequate protections - and this, for data privacy - which proved to be another universe.

Rodrigo carried out research on the security controls part. Among the topics found, the following stand out: Frameworks and publications that suggest the security controls necessary to protect against, for example, hacker attacks:

Security and Privacy Controls for Information Systems and Federal Organizations (NIST SP, 2020): In this publication, Rodrigo identified a series of crucial information to improve the security of the Superior Court's business process flows. The publication establishes specific controls that can be implemented in any organization or system that deals with the processing, storage, or transmission of information. These controls aim to strengthen cybersecurity and privacy, protecting the institution from potential threats.

Rodrigo also noted that the publication suggests the importance of improving communication between organizations, providing a common lexicon to facilitate the discussion of security, privacy, and risk management concepts. This enables teams involved in risk prevention to have a unified understanding of the terms and objectives, thus enhancing the collaboration and effectiveness of the strategies implemented.

The publication also outlines some of the fundamental concepts associated with security and privacy controls, offering a comprehensive overview of the principles and fundamentals that guide the implementation of these protection mechanisms. One of the key concepts she gleaned from was that of 'Security Controls'. These controls refer to specific practices that an organization can implement to mitigate cybersecurity risks and protect its systems and information from threats. They cover a wide range of measures, from safety procedures and policies to operational technologies and practices.

In addition, the consolidated catalog of security and privacy controls in the publication is a valuable tool for organizations, providing a complete list of specific controls, each with a discussion section that explains the purpose of its application and offers useful information on how to implement and evaluate them appropriately.

Am I safe? What should I know?

When presenting his findings to Clarice, Rodrigo highlighted that the publication presents a list of related controls, evidencing the interrelationships and dependencies between the different controls. This comprehensive understanding can help the Office of Organizational Process Management recommend an integrated, synergistic approach in implementing these security measures.

NIST Cybersecurity Framework V 1.1 : It consists of the Framework that presents industry standards, guidelines, and practices in a manner that enables the communication of cybersecurity activities and outcomes across the organization, from the executive level to the implementation/operations level (NIST CSF, 2018). By reading the list, Clarice was able to identify about 5 functions, 22 categories, 98 subcategories and approximately 1200 security controls, described in the Framework , Figure 2 (NIST, 2022, apud Alves, Renato S.; Georg, Marcus A. C.; Nunes, Rafael R., 2022).

Clarice understood that, when considered together, these roles offer a high-level strategic view of an organization's cybersecurity risk management lifecycle (NIST CSF, 2018). Then, the Framework Core Identifies the main underlying categories and subcategories—which are specific outcomes—for each role and associates them with examples of informational references, such as existing standards, guidelines, and practices for each subcategory.

Framework cybersecurity CIS Controls (CIS, 2021): Of Frameworks and publications studied and presented by Rodrigo, Clarice considered this Framework as being the most didactic and promising, since it was built from the simplification of NISTs structures (NIST SP, 2020 and NIST CSF, 2018). She identified in the White Paper published by McClain & Sagerand (2018) that the 18 controls evidenced in this Framework aim to meet the needs of the organization's critical infrastructures with the best risk-benefit ratio. This is based on the Pareto Principle, which says that 20% of causes are responsible for about 80% of effects. Therefore, about 20% of NIST controls can provide about 80% improvement in cybersecurity.

Clarice realized that the implementation of CIS SSC controls follows a structured and progressive approach. The process starts with the IG1 group, which is considered mandatory for all organizations, regardless of their available resources. This first step is essential to establishing a solid foundation of security, even for organizations with limited resources.

Next, the framework addresses the IG2 group, which takes into account organizations with moderate resources. In this phase, additional controls and security measures are added to address more complex threats and mitigate risks at an intermediate level.

Finally, the IG3 group is aimed at organizations with exposure to high risk, such as the Superior Court. Together, they realized that advanced controls and more sophisticated cybersecurity strategies will have to be implemented to combat extremely serious threats and protect the organization against highly complex attacks (Figure 3).

Clarice realized that the Framework offers a strategic and well-structured approach to strengthening the Court's cybersecurity. The division into three groups - IG1, IG2 and IG3 - allows the implementation of controls to be adapted to the particularities and resources of the institution, making the approach more flexible and accessible.

Some of the publications and Frameworks to implement possible security controls in the Superior Court, Clarice perceives the need to identify the business processes that should be prioritized to implement the controls, since there are several defined by the materials studied.

In view of this, Rodrigo also identified the 'Cyber Crisis Management Protocol of the Judiciary – PGCRC-PJ', CNJ Ordinance No. 162 of June 10, 2021, which establishes the responsive procedures to be carried out before and after the occurrence of a medium/long-term cyber crisis. In this document, he was able to perceive that it is necessary to identify the primary activities for the maintenance of the organization's final activity, to identify the assets that sustain these activities and to continuously assess the risks to which they are exposed and that these are the actions foreseen for the prevention of the risk of the cyber crisis (National Council of Justice, 2021a, pp. 15-16).

With this information, Clarice remembers the conversation she had with her supervisor at the beginning of the internship, in which she asked questions about the Value Chain. In this conversation, Fernanda explains that the business processes, 'preparation of orders and decisions', are considered finalistic for the organization, since they are executed directly by the magistrates. Thus, Clarice concludes that these will be the ones prioritized in her report.

After prioritizing the business processes, respective to the Superior Court, Clarice seeks to understand, analyzing the impacts of the incident and conducting the reference research, what would be the main risks related to the activities carried out in the organization.

In this search, the research carried out by ALVES, Renato S. & GEORG, Marcus A. C. & NUNES, Rafael R. (2022), which identifies the Business Risks of the main activities of the Judiciary (Figure 4), was identified.

In addition to business risks, in this same research, Clarice was able to identify the link between business risks and operational risks, derived from the analysis of the causes and sources of operational risk (Figure 5).

After these results of the research by ALVES, Renato S. et al. (2022), Clarice can already envision where security controls could be implemented in the Court's prioritized business processes, in order to strengthen their security, preventing future attacks.

Court Departments and the Security of Their Business Processes

After conducting the research, Rodrigo recalled the need to understand what would be the perspectives of other departments of the Court regarding the implementation of security controls in their business processes. Thus, Clarice was responsible for conducting interviews with these collaborators. In these interviews, she came across a diversity of perspectives and concerns regarding the implementation of new security controls in business processes.

Some employees expressed understandable concern about the possible complexity and delay that such changes could entail in workflows that have been established for years. They feared that the adoption of new controls could interfere with their daily routines and result in possible operational resistance.

In addition, the intern also noticed a reluctance in relation to potential modifications in the systems already consolidated in the Court. Many employees were used to the existing interfaces and functionalities, and any change could generate discomfort and the need to adapt to a new digital work environment.

Despite the initial resistance, Clarice realized that some interviews also revealed an openness to understanding the importance of cybersecurity. More engaged employees recognized that, while there are legitimate concerns regarding complexity, the security and integrity of the Court's data are critical to ensuring a trusted environment protected from digital threats.

Safety and Operational Efficiency: an inversely proportional relationship

When faced with the task of researching alternatives to prevent future cyberattacks in the High Court, Clarice plunged into an intriguing and crucial dilemma: the inversely proportional relationship between increased cybersecurity and the potential loss of efficiency in business processes.

Clarice understood that the implementation of cybersecurity controls was essential to strengthen the Court's defenses against possible attacks. The adoption of strict measures, as indicated by publications and Frameworks , such as 'Cyber Security CIS CSC V 8.0' (CIS, 2021), could make systems more resilient and less vulnerable to cyber threats.

However, Rodrigo raised the information that as security controls are implemented and cybersecurity is strengthened, business processes tend to become more complex and time-consuming. Adding layers of security may require additional checks, authorization steps, and authentication procedures, which may impact the normal flow of activities and cause some processes to slow down.

This duality led Clarice to a deep reflection on how to balance the need for cybersecurity with the operational efficiency of the Court. After all, ensuring the security of information is essential to protect the fairness and confidentiality of proceedings, but the importance of maintaining agility and efficiency in judicial proceedings cannot be ignored.

To meet this challenge, Clarice understood that the ideal approach would be to find a balance between implementing cybersecurity controls and optimizing business processes. This could be achieved through a thorough and careful analysis of the application of controls, identifying where security is most critical and where it is possible to simplify procedures without compromising data protection. That is, implement controls based on the risk assessment process. What good is efficiency without effectiveness?

In addition, she realized the importance of promoting a culture of awareness and training for the Court's employees, in order to ensure that everyone is aligned with the security measures and understands their relevance to the integrity of operations. Nevertheless, the Court's leaders have a crucial role in the implementation of security measures and in the balance with the agility of operations.

A Look Outside: Comparing to Other Organizations

To complete her research, she decided to do a benchmark in some Brazilian companies to analyze how the practice of information security is carried out. To this end, we analyzed an article by Silva Netto, A. D., et al. Silveira, M. A. P. D. (2007) that studies a sample of 43 small and medium-sized companies in the ABC region of São Paulo to find out which are the most common methods and which are the factors that motivate or inhibit the adoption of information security management. The results show that the most used techniques are antivirus, file backup and firewall and the main demotivating factors are the value of the investment, the difficulty of measuring the cost-benefit, the lack of knowledge and the organizational culture of the companies themselves. Finally, among the three layers of security management - physical, logical and human - the human is the one that is most deficient. We must make the human being the strongest link in the chain!

This research made Clarice rethink a little about the difference between what she studied and what is done in practice, since organizations will not always choose the best methods, either because they do not have resources or knowledge about information security, or because they will prefer to have less security, but on the other hand they will have more agility in the processes.

Strengthening Cybersecurity

After extensive research and dedication, Clarice, the intern, and Rodrigo, the manager of the Organizational Process Management Office of the Superior Court, were ready to consolidate all the information into a comprehensive report. They knew the importance of this document to present their findings and proposals to Fernanda, their supervisor, and Miguel, the head of the Office. The report would be one of the references to direct the strategy to prevent future cyber attacks and increase the security of the Court's business process flows.

To better communicate her conclusions, Clarice organized the information in a concise way. She emphasized the importance of a balanced approach between cybersecurity and efficiency in business processes, showing how leaders would play a key role in making informed decisions.

Upon reaching the crucial part of the report, Clarice presented the implementation suggestion, highlighting the 'IAA 2020 three-line model' (IAA, 2020). She explained that this model would help the Court identify structures and processes that help achieve objectives and facilitate strong governance and efficient risk management (Figure 6).

Clarice described the main points of the model, including the principles-based approach, the emphasis on the contribution of risk management to value creation, and the clear understanding of the roles and responsibilities within the model.

In addition, she highlighted the importance of aligning activities and objectives with the prioritized interests of the Stakeholders , ensuring that the Office of Organizational Process Management was committed to meeting the expectations of those who trusted in the security and integrity of the Court.

With the report finalized, Rodrigo, with Clarice's support, was ready to present it to Fernanda and Miguel. Rodrigo requested a meeting with both. During the presentation of the report, he highlighted the critical importance of the situation, emphasizing that the recent hacker attack has exposed the fragility of systems and the urgent need for more robust preventive measures. It became clear that many boards were not yet prepared to make decisions related to cybersecurity at higher levels of management. This raised significant concerns.

Miguel, the head of the Office of Organizational Process Management, agreed with the urgency of the situation. They realized that joint work should be carried out to implement the proposed changes and strengthen cybersecurity. The possibility of new attacks and their imminent consequences made evident the need for quick and effective decisions, involving all stakeholders. The team was now facing a critical moment where decisive action was essential to protect systems and ensure the continuity of court operations.

Questions for the discussion

1. What are the main challenges faced by organizations when integrating cyber risk into senior management decisions and overall governance?
2. Were the results of Rodrigo and Clarice's research satisfactory? Comment on what could have been done to improve the research carried out.
3. What strategies can be adopted to make the Court more resilient to future cyber attacks, without compromising the efficiency of business processes?
4. What are the main lessons learned from the previous hacker attack and how can they be applied to strengthen the Court's resilience against future cyber threats?
5. How can collaboration between the Office of Organizational Process Management and other areas of the Court be strengthened to ensure the effective implementation of cybersecurity measures?
6. Considering the constant evolution of cyber threats, how can we increase the Court's preparedness to deal with more sophisticated attacks in the future?
7. How are the efficiency of business processes impacted by the implementation of security measures? In this scenario, which is the better approach: effectiveness or efficiency?
8. How to relate business risks to operational risks? How can communication between different organizational levels be improved with regard to risks?

Authors' notes

¹It is important to clarify that a ransomware attack is used in several phases. In this case of teaching, it was decided to simplify and not delve into this issue for didactic purposes.

Gallery

References

Alves, Renato S.; Georg, Marcus A. C.; Nunes, Rafael R. (2022). Judiciary under hacker attack: business risks for cybersecurity in Brazilian courts. Monograph - Administration, FACE, University of Brasília - UnB, Brasília. DOI: 10.17013/risti.n.pi-pf. Accessed on: 22, jul. 2023.

BRAZIL. [Constitution (1988)]. Constitution of the Federative Republic of Brazil of 1988. Brasília, DF: Presidency of the Republic, 2016. Accessed on July 20, 2023, available at https://www.planalto.gov.br/ccivil_03/constituicao/constituicao.htm.

BRAZIL [general data protection law] (2018). Accessed on July 24, 2023 https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm

CIS, Center for Internet Security. (2021). "Simplified & Prioritized Cyber Defense Guidance – CIS Critical Security Controls - CSC, Version 8.0". Accessed on July 23, 2023, available at: https://www.cisecurity.org/controls

National Council of Justice [CNJ]. (2021a). National Strategy for Cybersecurity of the Judiciary. CNJ Ordinance No. 162/2021. Accessed on July 23, 2023, available at: https://atos.cnj.jus.br/files/compilado1402302021061460c7617672ec5.pdf

National Council of Justice [CNJ]. (2021b). Justice 4.0. Accessed on May 21, 2022, available at https://www.cnj.jus.br/tecnologia-da-informacao-e-comunicacao/justica-4-0/

National Council of Justice [CNJ]. (2012). Superior Courts: What are they? What do they do?. JusBrasil. Accessed on July 22, 2023, available at https://www.jusbrasil.com.br/noticias/tribunais-superiores-quais-sao-o-que-fazem/170117397

FebranTech, (2023). Accessed on July 23, 2023. https://febrabantech.febraban.org.br/temas/seguranca/brasil-e-segundo-pais-mais-atingido-por-ciberataques-na-america-latina-diz-relatorio

Hino, M. C., & Cunha, M. A. (2020). Adoption of technologies from the perspective of legal professionals. Revista Direito GV, v. 16 (n. 1), e1952. Accessed on July 22, 2023. doi:10.1590/2317-6172201952.

Lima, Eduardo & Moreira, Fernando & Deus, Flavio & Amvame Nze, Georges & de Sousa Junior, Rafael & Nunes, Rafael. (2022). Evaluation of the Operational Routine of the National Operator of the Brazilian Electric System (ONS) in Relation to Risk Management Actions Associated with Cybersecurity. RISTI - Iberian Journal of Information Systems and Technologies. E49. 301-312. Accessed on July 23, 2023, available at: https://www.researchgate.net/publication/362916438_Avaliacao_da_Rotina_Operacional_do_Operador_Nacional_do_Sistema_Eletrico_Brasileiro_ONS_em_Relacao_as_Acoes_de_Gerenciamento_de_Riscos_Associados_a_Seguranca_Cibernetica

McClain, S. & Sagerand, T. (2018). "Auditing, Assessing, Analyzing: A Prioritized Approach using the Pareto Principle". Accessed on July 23, 2023, available at: https://www.cisecurity.org/insights/white-papers/auditing-assessing-analyzing-a-prioritized-approach-using-the-pareto-principle

NIST_CSF, Cybersecurity Framework, Version 1.1, (2018). "Framework for Improving Critical Infrastructure Cybersecurity". Accessed on July 23, 2023, available at: https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf

NIST Special Publication (SP) 800-53, Revision 5, (2020). "Security and Privacy Controls for Federal Information Systems and Organizations". Accessed on July 23, 2023, available at: https://doi.org/10.6028/NIST.SP.800-53r5

PF arrests perpetrators of cyberattacks on website maintained by the STF, Pinheiro Mirelle, Carone Carlos. Metropolis, 2022. Available at: https://www.metropoles.com/distrito-federal/na-mira/pf-prende-autores-de-ataques-ciberneticos-a-site-mantido-pelo-stf . Accessed on July 24, 2023

Federal Police identified hacker who invaded STJ system, says director-general Ortiz, Denis. TV Globo, 2020. Available at: https://g1.globo.com/politica/noticia/2020/11/06/policia-federal-identificou-hacker-que-invadiu-sistema-do-stj-diz-diretor-geral.ghtml . Accessed on July 24, 2023.

Silva Netto, A. D., & Silveira, M. A. P. D. (2007). Information security management: factors that influence its adoption in small and medium-sized companies. JISTEM-Journal of Information Systems and Technology Management, 4, 375-397.

Supreme Court, (2023). Accessed on July 23, 2023 https://portal.stf.jus.br/textos/verTexto.asp?servico=centralDoCidadaoCartaDeServiServicosJurisdicionais&pagina=processosConsultaProcessual

Federal Supreme Court. (2018). Electronic Process Program: The Supreme Court in Tune with the Future. Accessed on July 22, 2023, available at https://portal.stf.jus.br/textos/verTexto.asp?servico=processoPeticaoEletronica&pagina=Informacoes_gerais_apos_desligamento_v1 .

The Institute of Internal Auditors [IAA]. (2020). IAA 2020 Three Lines Model: An Update of the Three Lines of Defense. Accessed on July 23, 2023, available at: https://iiabrasil.org.br/noticia/novo-modelo-das-tres-linhas-do-iia-2020

About The Authors

Gabriel Marinho Godinho is a Business Administration student at the University of Brasilia, a member of the ADM Casoteca Team and a former member of AD&M Business Consulting. He has professional experience as a Project Consultant, working with Public Management and currently works as an Organizational Process Analyst in one of the largest insurance brokers in Brazil. Email: g.marinho99@gmail.com

Beatriz Teles Fernandez is a Business Administration student at the University of Brasília and a member of the Casoteca ADM Team. Email: falecombtf@gmail.com

Renato Solimar Alves is an Information Security and Information Technology manager working in the protection of technological resources in the Judiciary for 15 years. He is an active member of the Information Security Management Committee of the Judiciary, and has contributed to the definition and implementation of policies and guidelines that strengthen the cybersecurity posture and the response to security incidents in the judicial sphere. He holds a master's degree in Electrical Engineering, a specialization in Systems Engineering, having previously graduated in Mobile Telecommunications Technology and has a technical background in electronics. His experience includes leading teams in the public sector and telecommunications companies.

Carlos Zottmann he holds a degree in Data Processing Technology from the Integrated Colleges of Católica de Brasília, and an MBA in IT Governance from Unieuro and a Lato Sensu postgraduate degree in Digital Law and Data Protection from IDP. He is a Certified Information Systems Security Professional (CISSP) by ISC2, and is currently a Master's student in Cybersecurity at the University of Brasília (UnB). Professional with more than 30 years of experience in IT, having worked primarily in bodies of the Judiciary. He has been a servant of the Superior Court of Justice since 1994, where he served as a manager in the areas of infrastructure and cybersecurity, and has been assigned to the Superior Electoral Court since 2018, where he serves as Head of the Strategic Center for Cybersecurity Management.

Rafael Rabelo Nunes is a professional with a background in IT and an active teaching career, who seeks in the synergy between technology and people, the engine for transforming organizations. He is currently a part-time Adjunct Professor at the University of Brasilia, where he is dedicated to teaching and researching how IT can be used strategically by people and organizations, taking into account the risks involved. He is an Advisor in Risk Management at the Federal Supreme Court, and a Professor at the UniAtenas University Center. He holds a PhD in Electrical Engineering from the University of Brasilia. Graduated in Communication Network Engineering from the University of Brasilia. Email: rafaelrabelo@unb.br

Editor: Nicole Alonso Santos de Sousa she is a graduate student of the Department of Administration (ADM/FACE) of the University of Brasília (UnB) and Co-coordinator of the ADM Casoteca. Postgraduate degree in Finance and Controllership (MBA USP/ESALQ). Bachelor in Business Administration (UnB). Email: nicolealonso2000@gmail.com

Editor: Luiz Henrique Lima Rodrigues is a Business Administration student at the University of Brasília and Co-coordinator of the ADM Casoteca. Director of Relationships 2024 at Concentro (Federation of Junior Enterprises of the Federal District). Email: luizhenriquelima305@gmail.com.

This is a work of fiction, any resemblance to names, people, facts or real-life situations will have been purely coincidental. This text is intended exclusively for academic study and discussion, and its use or reproduction in any other form is prohibited. Copyright infringement will subject the offender to the penalties of Law No. 9,610/1998.