Category: Policies

If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...

Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....

Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...

In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...

Like any types of tools in both physical and cyber worlds, this can be used for legitimate or evil purposes. Examples are illustrated below. Legitimate purpose Content masking: required to protect privacy information in meeting regulatory compliance or certain industry requirements.Penetration test tools: cybersecurity assessment to uncover weakness of the target of evaluation for strengthening Evil purpose Identity masquerading: the usual trick for phishing or social attacks.Without the asset owner authorization, use of penetration test tools is considered as malicious purposes to launch cyber attack and subject to disciplinary action, civil or criminal litigation. Who judges the proper use? It's set out by Corporate policies (if internal matters)Laws & regulations (when externally involving different entities) ...