Strong Cyber Policy Can Protect Your Organization’s Biggest Vulnerabilities
– Stel Valavanis
In today’s increasingly online and connected business-world, risk and danger exist at every turn regardless of which industry you’re in. While not every organization may be seen as a high-profile target, the huge volume of attacks and tiny amount of effort needed to perpetrate them means no one is immune to becoming a target at some point, and an organization’s assets, employees, and customers are essentially at risk as soon as the company’s shingle goes up.
Staying safe can be complex as cybersecurity defense is a wide field that requires utilizing many strategies, pieces of hardware and software, as well as the hands-on expertise of analysts and leaders. Truly, a transformative cybersecurity process takes serious time and effort. However, one thing your business can do right now to make a huge stride forward in protecting its information is to lay the foundation for a cybersecurity operation by crafting and implementing a cybersecurity policy.
A Policy Could Cost You Nothing and Save You Everything
A security policy is a document that defines the specifics of an organization’s cybersecurity, acting as both a blueprint for its cybersecurity operation, as well as establishing a rule set by which users are expected to operate within the organization’s network. Policies range in scope from the organizational level to specific systems and issues.
Carefully crafted policy is the cheapest and easiest way to protect against costly cyberattack and damaging data breaches. Simply setting out the expectations for users, who are always among the biggest vulnerabilities in any organization, goes a long way towards preventing unwanted scenarios by providing:
- Clarity of controls such as who has access to what systems
- Mapping on how accounts are managed such that forensics and audits become possible
- Critical underlying blueprints for functions such as cybersecurity protections and detection to take place
It is impossible to know what to protect or what risk level to apply to an event if there isn’t a policy that spells it out. Effective protection and detection requires mapping against a policy, not against some arbitrary best practice.
Getting Everyone in Your Company on the Same Safe Page
Whereas security policy is typically the focus of a dedicated security team, the focus for an IT team will be enabling employees. Sometimes in efforts to keep the system producing they can even unintentionally act in ways that run contrary to best cybersecurity practices.
Enter the lifesaving power of cybersecurity policies that establish rules to enforce and a means to enforce them, preventing malicious behavior and identifying unintentional unsafe acts. As employees are one of the biggest cybersecurity vulnerabilities in any organization, education and enforcement protects the employees, the organization, and your business customers. In the absence of security policy, users may engage in dangerous behavior out of ignorance, convenience, or with malicious intent.
Compliance Often Requires Policy
Having policies in place also helps analysts detect abnormal behavior or detect activity that contradicts policy, making it both easier to enforce policy internally and detect external intrusion. Not only do they potentially stop such incidents from occurring in the first place, but good policies also protect the organization from legal liability in the case of an attack, and from compliance violations that require the placement of policies, which are often industry specific.
It is important to note here that Federal, state, and even industry organizations have specific requirements for cybersecurity policy, with penalties for lacking policy. Certifications such as the AICPA SOC-2 for service providers involve examination of specific and required cybersecurity policy. Good policy protects an organization’s public image and credibility, both in preventing embarrassing incidents and minimizing liability in the case of a successful attack. Policies also aid in the mitigation and remediation of successful cyberattack, in the case it does occur. They provide consistency for minimizing vendor risk, clarity for handling staff and their accounts, audit trails for data and user access, mappings for protection and detection systems, and much more.
Not only is good cyber policy effective at protecting businesses, employees, and customers, policies typically require a fairly low level of time and money to be expended in the implementation. The main costs associated with cybersecurity policy would be any costs associated with the authorship of policy (consulting fees for experts aiding in the writing of policy, for example) and the means of enforcement, if any are implemented.
Security policy should be reviewed and changed when necessary, using best practices and organizational experience to inform changes to inadequate or obsolete policy as the global cybersecurity situation and threat landscape evolves. A good cybersecurity policy prioritizes security over convenience. They may specify the subjects of the policy, but policies typically cover all employees in an organization, and exceptions are likely not enunciated and are unofficial.
Components of a Winning Cyber Security Policy
A cybersecurity policy should define expectations, specify stakeholders, and articulate responsibilities for all those under the umbrella of the policy. They should be clear and easy to understand for those subject to the policy, and typically do not include technical specifics, both to increase ease of understanding and to reduce the need for amendment. Individual parts of a policy should be narrow, as to make specific expectations clear, and organizations should also have a comprehensive set of policies to cover broader areas of their cybersecurity operations.
A good example of a policy we follow at onShore is that of requiring multi-factor authentication for our systems. As a policy, it not only encourages us to follow this good practice, it outlines what is acceptable, what priority to place on it, where it may not apply, how to verify and audit it, all on top of the value of expressing this to your clients and insurance providers in the form of an attestation. It also aids detection, in that attempts to log in without the second factor are tagged immediately as malicious or an attempted compliance violation.
Another example of a policy we implemented is a User Termination policy. Without such a policy, there was a potential for lack of clarity on actions to take upon the termination of an employee or a vendor, allowing for gaps if third party access to systems, services, or data is not revoked upon termination. The policy closed this gap by articulating the actions required and the parties responsible for such action, as well as standardizing the procedure across the different parts of our organization.
For an example in the news, look to the recent attack on a water treatment facility in Florida. There was no firewall in place to protect the system from outside intrusion, but even if there had been, there would not have been a trail of data to audit in the investigation, due to a lack of policy to archive log files. They also were vulnerable due to out-of-date systems, bad password management, and lack of control around remote access, all of which are typically addressed in a cybersecurity policy. In redressing the issue, recommendations can be made but, again, without policy, there is no standard to hold those responsible to, nor even a clear chain of command to determine who would be held responsible for the state of the plant’s cybersecurity.
Templates for general cybersecurity policy, which may be sufficient for smaller organizations, are available online. Larger organizations typically have much more detailed and personalized policy, particular to their operation and industry. Organizations of all sizes should research and consider whether they work in an industry with more specific cybersecurity policy requirements. Industry groups often exist in these spaces, with educational material to articulate policy needed in the space, as well as templates for the writing of such policy. For example, the HIPAA Journal releases a yearly compliance checklist for healthcare organizations.
While policy can be created and implemented with the help of a template, and the use of such a template can save time and money, it is a good practice to have any policy originating in this way to be reviewed by experts, outside of the organization if necessary.
Here is a list of policy items from the SANS institute https://www.sans.org/information-security-policy/
- Acceptable Encryption Policy
- Acceptable Use Policy
- Acquisition Assessment Policy
- Analog/ISDN Line Security Policy
- Anti-Virus Guidelines
- Automatically Forwarded Email Policy
- Bluetooth Baseline Requirements Policy
- Clean Desk Policy
- Communications Equipment Policy
- Data Breach Response Policy
- Database Credentials Policy
- Dial In Access Policy
- Digital Signature Acceptance Policy
- Disaster Recovery Plan Policy
- DMZ Lab Security Policy
- Email Policy
- Email Retention Policy
- Employee Internet Use Monitoring and Filtering Policy
- End User Encryption Key Protection Plan
- Ethics Policy
- Extranet Policy
- Information Logging Standard
- Internet DMZ Equipment Policy
- Internet Usage Policy
- Lab Anti Virus Policy
- Lab Security Policy
- Mobile Device Encryption Policy
- Mobile Employee Endpoint Responsibility Policy
- Pandemic Response Planning Policy
- Password Construction Guidelines
- Password Protection Policy
- Personal Communication Devices and Voicemail Policy
- Remote Access Mobile Computing Storage
- Remote Access Policy
- Remote Access Tools Policy
- Removable Media Policy
- Risk Assessment Policy
- Router and Switch Security Policy
- Security Response Plan Policy
- Server Audit Policy
- Server Malware Protection Policy
- Server Security Policy
- Social Engineering Awareness Policy
- Software Installation Policy
- Technology Equipment Disposal Policy
- Virtual Private Network Policy
- Web Application Security Policy
- Wireless Communication Policy
- Wireless Communication Standard
- Workstation Security (For HIPAA) Policy
The SANS institute provides great starter templates at the same link as above:
In 2021, all businesses must make cybersecurity part of their every day operation. The best place to start is with policy and good policy is truly valuable. Organizations without an internal security operation can craft their own policy from templates, such as those listed above, but should consider doing some outside consulting. onShore Security can help write solid security policy, consulting with your organization to establish a strong cybersecurity infrastructure, empowering you to protect your organization, employees, and customers, and to do what you do best, prepared for 2021 and beyond.
Image Attribution: Alpha Stock Images – http://alphastockimages.com/
Original Author: Nick Youngson – link to – http://www.nyphotographic.com/
Original Image: https://www.thebluediamondgallery.com/legal/cybersecurity.html