Page 40 - Cyber Warnings
P. 40
4. Create a “Living” Corporate Security Document
A ‘living’ corporate security policy is your documentation that states in writing how your
organization plans to protect the company's physical and information technology (IT) assets.
It’s a living document because it’s never final – you should be continually updating it based on
geographic risk, people risk, physical and network resources risk and other forms of risk that
might be changing or evolving over time, affecting your organization. As new threats arrive,
such as Ransomware, you’ll want a corporate security anti-phishing policy and a policy on how
to deal with ransomware, for example. Most corporate security policies include acceptable use,
password management, network access control, bring your own device policies, encryption
policies and others with descriptions on mitigating risk and how policies are to be enforced.
You’ll also want to deploy policies that help you prove due care and due diligence in compliance
with regulations that affect your organization (FISMA, EU GDPR, GLBA, SOX, HIPAA-HITECH,
VISA PCI, etc.).
Steps involved:
1) Review various corporate security models and find one you like – most are
inexpensive and even freely available such as ISO27001, found here:
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm,
ISACA’s COBIT, found here: http://www.isaca.org/cobit/pages/default.aspx, or the
NIST cybersecurity framework, found here: http://www.nist.gov/cyberframework/.
2) Explain to key executives and employees how important this document and their
acceptance is for protecting the organization from regulatory compliance pressures,
to maintain compliance and reduce the risk of a breach. Have them look at this one
story to see what happens when a regulator (over-reaches) gets involved:
http://michaeljdaugherty.com it won’t be the breach that puts you out of business, it
might actually be a government regulator.
3) Roll it out and update it as necessary. Test the controls in each policy section. For
example, test password management as well as backup/restore.
40 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide