To summarize where are, we have talked about identifying your assets and your risks. The next step is to begin using this information in a logical way. The risk assessment component will be used to develop your Risk Management Strategy. Management must establish their risk tolerances in order to evaluate the how they will approach the threats that are deemed greatest.
Everything we have discussed so far is part of IT Governance. Governance represents the function of ensuring that the IT is managed in accordance to the stakeholders’ needs and expectations. It is my humble opinion is that the most important part of governance is communication. How do we communicate management and the stakeholders’ expectations? The first method is policies.
Policies have a bad reputation. A lot of people think that policies are written to give middle-management something to do. In some cases that may be true but a good policy structure helps to communicate a single message to all users how situations should be handled. You will hear me say over and over that policies are simply a way to communicate management’s expectations. Policies should not be just a list of rules but a communique of how users should behave in order to achieve the goals of the organization.
There is a lot of debate about how policies should be written. Some think that the policy should state the management should develop procedures to support the proper implementation of a said area and separate procedure manuals should be developed for more granular directions. Others feel that policies should be all inclusive so that there is a single document explaining what management expects and how to accomplish it. I think the culture of the organization should drive how they are written; neither is wrong as long as there are policies that properly communicate expectations.
The primary policy here is Information Security. While various regulatory requirements may dictate other IT policies that impact cybersecurity, most issues should be able to be covered in the Information Security Policy.
So what should be in the Information Security Policy? Here is a list of typical, but not necessarily all elements that would be included:
- Acceptable Use (internet usage, email, encryption, unauthorized software, etc.)
- Password parameters and appropriate password creation
- Incident Response (generally a separate policy but it should be at least referenced here)
- Physical Security issues
- Logical Security (network, application, mainframe, etc.)
- Human Resources (granting access, employee termination, background checks, etc.)
- Change Management (as it relates to security)
- Roles and responsibilities of personnel
- Data classification (confidentiality)
- Industry specific needs (GLBA, HIPAA, PCI, FISMA, etc.)
In order to complete the development of needed policies for cybersecurity we will need to visit the next function: Protect. As stated in the list above certain things should be addressed in policies. But what does that mean? Let’s look at the first 2 components of the Protect Function: Access Control and Awareness/Training.
The first topic under Protect is Access Control. This is pretty straight forward. What systems need to be secured and how? Look back to your asset identification and risk assessment. For those that need security, how will you identify the user and what method will you use? Is it username and password? Do you need biometrics or other multi-factor authentication method?
But granting access to a user is only part of the equation. You also need to consider what you are going to give them access to. This may be the most important control in your entire organization. You need to restrict users to only the information they need as well as providing a means of segregating duties.
You will also need to consider physical access controls for office space, server rooms, telecommunication equipment, etc. How you control access should be driven by the needed security. In a an area that needs high security you may want to use an access card system that can monitor when people are entering and leaving an area as well as restricting to authorized persons.
You also need to control remote access. Since these days people can do their work from anywhere controls over remote access may be more important as physical access. There should controls over granting users remote access as well as controls over when it is available and what is available remotely.
How does all this access control measures impact cybersecurity? Attackers want access to the systems and the data held there. By restricting access by user you reduce the number accounts that the hacker could steal to get to the most confidential information. By making it harder to obtain the accounts or use the account, the less likely they will be successful in an attack.
This brings me to the last point of today’s article, awareness and training. All the advanced security in the world will fail if people do not understand the treats or their responsibilities. You need to remind users not to click on links in random emails. Education on how to create strong passwords and why they shouldn’t write them down will help strengthen the controls you have put into place. I strongly believe that people want to follow the rules if they understand the reason behind them. Telling someone they have to have a 8 character password with upper and lower case, a number, and a special character seems very hard but when you explain that by adding these various character types you make the password exponentially harder to crack, they will be more accepting of it.
Next time I will address the rest of Protect and then talk about Detect.