Policy #5

By cliangNo Comments
If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...
Read More

When Security System Fails

By cliangNo Comments
Security function of the business or physical process is protected by security system. Specific security system for the latter is the SIS (Safety Instrumented System). When security system fails, its intended function fails too. It could be lost of view, view being manipulated, sub-standard product produced, high value asset damage, environment pollution and most seriously human fatality. When assessing business impacts, we must not forget to assess the entire ecosystem including these auxiliary systems. ...
Read More