Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Policies and Standards and Procedures – Oh My!
March 31, 2021
From a security engineering point of view, policies and procedures often feel like afterthoughts. Once the technical controls are in place to protect data and systems – e.g., a strong chain of firewalls, intrusion protection, anti-malware and secure authentication – the business value of having policies, standards and procedures documented is perceived as low. Why do system users need to understand and acknowledge their part in keeping data secure?
Perhaps we shouldn’t have been surprised to find we faced a user rebellion. Websites that the training division used stopped functioning due to the restrictions on Flash. The Marketing team was unable to get materials to their creative partners because we restricted uploads to the cloud. More complaints rolled in. Underlying the complaints was a valid question: What policy required the restrictions on Internet activity and on whose authority was this put in place?
Sometimes secure technology gets ahead of policy. Users are understandably confused and annoyed when they find something they could do yesterday – like transfer a file to a business partner – is no longer possible. Smart people will find ways around security gates, whether through cloud uploads, data transferred via unencrypted USB drives or the use of reverse proxies. They may not realize they’re exposing the organization to increased risk. IT security tools alone are often not enough to change behavior.
Good IT policy is like a blanket: It should securely cover all the corners and provide protection and assurance – not just a feeling of comfort. But sometimes it gets pulled over to one side, leaving another side exposed (competing priorities, lack of resources, short term needs, etc.). And sometimes people intentionally stick their legs out from underneath to escape its purpose (rogue staff, noncompliance, too heavy). And finally, sometimes it needs to be washed, mended or replaced to become purposeful again (review, revision, adaptation to change, ensuring relevance, closing holes.)
Organizations need policies for acceptable use of technology, as well as standards for data protection. The policies should explicitly state why the security measures are in place: how do they protect sensitive information and support the organization’s mission?
Policies come from the top – from the CIO, CISO, legal counsel or other executive responsible for security. The intent of the policy is to manage risk to a level that is acceptable, as determined by the C-Suite. The security team is not dictating what should happen, but executives are. In addition, every policy governance structure should have an exception process where businesses can spend the money to either provide compensating controls at their own expense or justify their position to the executives on why their business needs an exception.
Executive support is key to creating a culture of security across the organization. Training and awareness programs help spread the word and spark change. When company employees agree with security rationale, they follow the guidelines. Even if there are still those who stretch the rules, the core culture of protecting and safeguarding information will be in place.
When I mention training and awareness, you may think of an Internet video or PowerPoint presentation. I’m thinking of the time when a joint Legal and Information Security team from went to the company cafeteria to hand out cards with the new information classification system. This was part of a data labeling and data loss prevention rollout. The colorful cards clipped onto employee badges and had quick tips for identifying and protecting data. Each card was handed out along with a snack or dessert. It was the first time I saw people lining up eagerly for security training.
Gamification is also an encouraging development in security training. To complete ethics training, some companies have employees play a game where the user is placed in challenging situations, such as being asked to send a bribe to a local official to get building permits. If the user agrees – oops! He/she just lost a level. Security awareness can also use games and scenarios to make learning interesting and memorable.
While organizations need policies and standards, too many of these can become a burden and over-complicate business processes. Prioritize the essential policies and standards by identifying the regulatory needs of the organization. Ensure that, at a minimum, policies address those requirements.
Sending each employee a 100-page acceptable use policy to review is unlikely to garner a lot of positive feedback. Policies themselves should be quite short – ideally just a page or two. Standards can be longer, as they flesh out details of the requirements and implementation. Procedures are often technical and can be as long as needed to ensure that configuration and settings are correctly applied to meet policy and standards.
Table 1: Policies, Procedures, Standards, and Guidelines
Some organizations have too many policies and need to consolidate or reduce them. When a policy or standard is reviewed to determine whether to keep or retire it, ask:
Once you have a structured policy library in place, you have taken steps to satisfy the requirements of many industry and government regulations, including Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and the Cybersecurity Maturity Model Certification (CMMC).
Policies and procedures should be based on established frameworks and the organization’s role in government, critical infrastructure or industry will guide framework adoption. Examples of frameworks include the NIST Cybersecurity Framework (CSF), ISO/IEC programs, Federal Financial Institutions Examination Council (FFIEC) standards and PCI SSC standards.
To begin, identify the current policies and standards in use by your organization. An initial exercise may include cross-referencing these documents to the selected control framework or standard. A gap assessment will detect areas that are not sufficiently addressed in existing policies, standards and procedures. Out of this exercise will emerge a list of key policies and standards that need to be developed or updated.
The next step is to set up a template to use consistently for policies and standards. Typically, the template for standards will include sections shown here:
Table 2: Template Example
Documents may be developed internally or with the help of a consultant and experience with framework requirements is often helpful. A consultant familiar with PCI or HIPAA can help your organization write policies and standards that meet those requirements.
So consider the humble “P&P” – policies and procedures. Not as exciting as a new firewall, but still an important part of a security program. By keeping your organization’s policies current and relevant, you provide essential direction and practical guidance to keep data secure and protected.
Peer review and contributor: Matthew D. Lammers – Manager, IT Risk Transformation & Advisory CISO
December 02, 2020
This post articulates the five key principles for building operational resilience across the organization.
October 15, 2020
Application threat modeling decomposes application architecture into security-relevant components to reveal threats and potential risks.
January 25, 2021
Data privacy typically relates to what corporations do with consumer data, but it’s also important to consider workplace privacy.
Let us know what you need, and we will have an Optiv professional contact you shortly.