Developing Cybersecurity Programs and Policies

1. Cybersecurity is a critical business discipline for protecting information assets

Cybersecurity can no longer be something that you delegate to the information technology (IT) team. Everyone needs to be involved, including the Board of Directors.

Holistic approach. Cybersecurity must be integrated throughout an organization, not siloed within IT. It requires involvement from leadership, employees, and partners to be effective. Organizations should adopt a security framework like NIST or ISO 27001 to provide structure.

Business enabler. When strategically aligned, security functions as a business enabler that adds value. It should be given the same consideration as other fundamental business drivers. This requires leadership that recognizes cybersecurity's value, invests in people and processes, and treats it as essential to achieving organizational objectives.

Policy foundation. Written cybersecurity policies, authorized by leadership, provide direction and codify the organization's commitment. Policies should be relevant, realistic, adaptable, and inclusive. They must be regularly reviewed and updated as the threat landscape evolves.

2. The CIA triad forms the foundation of information security objectives

Confidentiality, integrity, and availability (CIA) are the unifying attributes of an information security program.

Confidentiality protects information from unauthorized access or disclosure. Controls include encryption, access restrictions, and data classification.

Integrity ensures information is not improperly modified or destroyed. It relies on controls like hashing, digital signatures, and change management processes.

Availability means information and systems are accessible when needed. This requires redundancy, fault tolerance, and business continuity planning.

• The relative importance of C, I, and A may vary based on the organization's mission and regulatory requirements
• All security controls and processes should map back to protecting one or more elements of the CIA triad
• Risk assessments evaluate potential impacts to CIA to determine appropriate safeguards

3. Effective cybersecurity policies require proper governance and risk management

Governance is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives.

Leadership involvement. The Board and executives must actively participate in cybersecurity governance. This includes authorizing policies, providing resources, and receiving regular briefings on the security posture.

Risk-based approach. Organizations should adopt a formal risk management process to identify, assess, and mitigate cybersecurity risks. This allows for prioritization of efforts and resources.

Key governance roles:

• Chief Information Security Officer (CISO)
• Cybersecurity steering committee
• Information owners
• Information custodians
  Risk management steps:

1. Risk identification
2. Risk assessment
3. Risk treatment (accept, mitigate, transfer, avoid)
4. Ongoing monitoring

4. Asset management and data classification are essential for protection

Information owners are responsible for classifying data.

Asset inventory. Organizations must maintain a comprehensive inventory of information assets, including hardware, software, and data. This provides visibility into what needs to be protected.

Classification scheme. Data should be classified based on its sensitivity and criticality to the organization. Common private sector classifications include:

• Protected/Confidential
• Internal Use
• Public

Handling standards. Each classification level should have defined handling requirements for storage, transmission, access, and disposal. This ensures appropriate safeguards are consistently applied.

Asset management responsibilities:

• Identifying and documenting assets
• Assigning ownership
• Defining acceptable use
• Ensuring proper disposal
  Benefits of classification:
• Focuses security efforts on most critical assets
• Enables tailored controls based on sensitivity
• Supports compliance with regulations

5. Human resources play a vital role in maintaining cybersecurity

Security awareness programs, security training, and security education all serve to reinforce the message that security is important.

Employee lifecycle. Security considerations should be integrated throughout the employee lifecycle:

• Recruitment: Background checks, security expectations in job descriptions
• Onboarding: Confidentiality agreements, acceptable use policies
• Ongoing: Regular training and awareness programs
• Termination: Prompt revocation of access

Security culture. HR initiatives can help foster a culture of security awareness where employees understand their role in protecting information assets.

Training program. A comprehensive security education program should include:

• Awareness: Reminders about security practices (e.g., posters, newsletters)
• Training: Teaching specific skills (e.g., how to identify phishing emails)
• Education: In-depth knowledge for security professionals

6. Physical and environmental security safeguard information and systems

The objective of physical and environmental security is to prevent unauthorized access, damage, and interference to business premises and equipment.

Layered approach. Physical security should employ multiple layers of protection:

• Site selection and design
• Perimeter security (fences, gates, guards)
• Building access controls
• Secure areas within buildings
• Equipment-level protections

Environmental controls. Safeguards against environmental threats include:

• Fire detection and suppression
• Climate control (temperature, humidity)
• Power protection (UPS, generators)
• Water detection/protection

Asset disposal. Proper disposal of equipment and media is crucial to prevent data breaches:

• Secure wiping of storage devices
• Physical destruction when necessary
• Documented chain of custody
• Certified destruction services

7. Access control management is crucial for preventing unauthorized access

The primary objective of access controls is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), or disruption (availability).

Fundamental principles:

• Least privilege: Users should have only the minimum access needed for their role
• Need-to-know: Access should be restricted to information required for job functions
• Separation of duties: Critical tasks should be divided among multiple individuals

Access control models:

• Mandatory Access Control (MAC): System-enforced, policy-based (used in high-security environments)
• Discretionary Access Control (DAC): Owner-defined permissions (common in commercial systems)
• Role-Based Access Control (RBAC): Permissions assigned to roles, users assigned to roles

Authentication factors:

1. Something you know (password, PIN)
2. Something you have (smart card, token)
3. Something you are (biometrics)

• Multi-factor authentication combines two or more factors for stronger security
• Access should be regularly reviewed and promptly revoked when no longer needed

8. Operational security procedures protect day-to-day activities

Standard operating procedures (SOPs) are detailed explanations of how to perform a task.

Change management. A formal process for requesting, evaluating, approving, and implementing changes helps maintain stability and security:

• Request for Change (RFC) submission
• Impact assessment
• Approval workflow
• Implementation planning
• Post-change review

Patch management. Timely application of security patches is critical:

• Regular vulnerability assessments
• Prioritization based on risk
• Testing before deployment
• Emergency procedures for critical vulnerabilities

Malware protection. A multi-layered approach is necessary:

• Anti-malware software
• Email and web filtering
• User awareness training
• Network segmentation
• Endpoint protection

9. Incident response and business continuity ensure resilience

Incident response capability and how to comply with the myriad of state data-breach notification laws.

Incident response plan. Organizations need a documented plan for detecting, responding to, and recovering from security incidents:

• Roles and responsibilities
• Detection and analysis procedures
• Containment strategies
• Eradication and recovery steps
• Post-incident activities

Business continuity. Planning for disruptions helps maintain critical operations:

• Business impact analysis
• Recovery time objectives (RTO)
• Recovery point objectives (RPO)
• Alternate site planning
• Regular testing and exercises

Regulatory compliance. Many industries have specific requirements for incident reporting and notification:

• Understanding applicable laws and regulations
• Documenting evidence for investigations
• Timely notification to affected parties
• Cooperation with law enforcement when appropriate

Last updated: July 31, 2024