Policies – Page 7 – The SECOND Advisories Limited

Proper Usage

21st July 202021st July 2020 By cliangNo Comments

Roads connect different destinations in physical world. Every road user (vehicle or any kind, pedestrian or live objects) has to comply with the usage rule for safety. Network connects different hosts or systems as cyber world. Similarly, there are also rules that every user (device, human) must follow to become cyber safe. Even if you are using the information processing facility without any network connection, say a totally isolated computer, you also need to bear the same in mind. This is because it is a usage habit such that you adopt consistently. Like driving habit, you apply the same attitude no matter for work or for leisure. ...

Connection

10th July 202010th July 2020 By cliang1 Comment

The cyber world is built up by connecting different systems and devices via information highway. Therefore, the key cybersecurity element is to establish the perimeter. In physical world, port control is the location perimeter. You need to go thru immigration, bag scanning at custom before you and your accompanied goods are permitted for entry. Some countries also require going thru immigration before exit. This is easily visualized. In cyber world, controls at the network perimeter will need precise directives (or policies) such that adding new components or functions shall comply with the rules accordingly. That said, the policy must be precise. Most often, "connection" is unclear and need clarity. Using ISO 7 layer concept, network cables are always physically connected to the network devices. For certain cases if network based IPS or IDS is deployed, it will need collecting mirrored traffic from all over the network devices even if these network segments are zoned by design. ...

Sense of Security

6th April 20206th April 2020 By cliangNo Comments

This is largely based on preception and trust. How do I trust if the infrastructure or system is secure? We need to look at these core elements: Any regulatory mandate in this industry sector? Pick public transportation as example, mandatory insurance coverage, regular inspection for license renewal, periodic operator training, compliance with safety regulations etc.How well is the service provider doing among peers? Let's say, the type and severity or incidents of this provider in past years among others, rating from customer reviews and comments.How does the service provider demonstrate what has been done to secure? Common examples are personal data handling transparency via the published privacy policy, alert end user on login from other rare locations, security tips in their official portal, committed service level pledge. All the above are applied in both the physical and cyber worlds. ...

Policy #5

27th February 202027th February 2020 By cliangNo Comments

If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...

ROI

28th May 2019 By cliangNo Comments

Return On Investment (ROI) is the typical approach to justify the spending to acquire asset. For the sample solar renewable energy illustrated, this is simple: One-off cost like equipment purchase & installation Recurring cost like maintenance, insurance, administrative (if trading to grid is involved) In a 5 or 10 years total cost model, how much energy charges could be saved, or how much revenue is generated if energy is sold back to the grid vs how much expense to paid. However, there are risks that might affect the net gain: Sufficiency of sun light intensity Weather condition at the location Physical security of equipment against theft or sabotage In cyber protection technology, stake holders normally expect cyber-security is the baseline and integrated with the asset. Adding extra cost won't be seen as ROI. A slightly adjusted model is to calculate the avoidance cost of a single cyber-security incident vs investment. Therefore, the justification is to be: If we invest $X, then we could avoid spending...

Born or Made

1st May 2019 By cliangNo Comments

Cybersecurity vulnerabilities are broadly categorized into 2 types: [a] Inherent weakness in the component, protocol (e.g. PLC, ftp) that is insecure by design [b] Improper deployment causes a secure component (e.g. FIPS-140-2 Level-4 certified crypto module) into insecure due to lack the required surrounding elements (likely broken business process or human negligence) Type [a] can be overcome at time of procurement to specify requirement. Type [b] can be identified via vulnerability assessment of the deployed solution in people, process and technology perspectives...

Direction

21st April 201922nd April 2019 By cliangNo Comments

Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....

Big or Small

5th April 20195th April 2019 By cliangNo Comments

Cyber assets, no matter big or small, must be managed via the same practice and same maintenance regarding cybersecurity as long as they are hosted in the same ecosystem. Zoning might make certain difference but things could be broken due to many reasons. Defense-in-depth must be adopted. ...

Point of Attraction

27th February 201927th February 2019 By cliangNo Comments

Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...

Policies #4

23rd January 2019 By cliangNo Comments

In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...