Category: Policies

The cyber world is built up by connecting different systems and devices via information highway. Therefore, the key cybersecurity element is to establish the perimeter. In physical world, port control is the location perimeter. You need to go thru immigration, bag scanning at custom before you and your accompanied goods are permitted for entry. Some countries also require going thru immigration before exit. This is easily visualized. In cyber world, controls at the network perimeter will need precise directives (or policies) such that adding new components or functions shall comply with the rules accordingly. That said, the policy must be precise. Most often, "connection" is unclear and need clarity. Using ISO 7 layer concept, network cables are always physically connected to the network devices. For certain cases if network based IPS or IDS is deployed, it will need collecting mirrored traffic from all over the network devices even if these network segments are zoned by design. ...

If you are asked to formulate corporate cybersecurity policies, here are some advices: Identify key stake holders that will be affected by the to-be directivesGet support from senior management to setup a task force with the representatives from stake holdersEstablish ground rules for all members such that the policy context is consistency because the members are from different background with different interestsThe organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the businessThe policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)Must also be enforceable or else just a document in the bookshelfReview if the stated measures will really make the system/infrastructure more secure or just copying academic template?Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?Example: only organization devices are allowed to connect to the organization networkPrecise specific: organization devices ... not BYOD, not business partners'Precise generic: devices … could...

Establishing cyber directives (policies) is challenging. On one hand, the language must be chosen not too specific for flexibility but on contrary too loose will be difficult to enforce practically. The bottom line is to establish organization specific directive per its line of business based on commonly recognized best practices and industry regulations (e.g. CIP, PCIDSS, HIPAA, SOX, GDPR). Over time, regular review among stake holders is required to fine tune the language based on experience of adoption to address any limitations. And this regular review process shall also be specified in the directive itself as part of the compliance....

Everything has multiple perspectives. A point of attraction could become the point of attack. Example is setting up web site for presence in the cyber world. The business people wish to have high hit rates of the web site to enhance brand visibility, collect surfer behaviors for analytics, thus pushing the right level of promotion and adjust market strategy. All these are to prove the ROI for web site TCO. The technical people wish to lock down the web site to avoid being defaced or being planted with malicious codes for persistent threats. All these will inevitably affect certain functionalities or incurred extra cost. Such investment is to prove avoidance cost rather than ROI because people generally expect cyber secure - rather than by investing $X, $Y will be gained. Bridging the gap will require cyber governance at the top level to set out cyber directives within an organization, resolve issues and have a final say for conflicts arising,...

In stipulating policies (written management directives), the hard part is in the language for having specific objective with flexibility and without ambiguity - balance between specific and generic descriptions. The applicability of policies is another challenge. For the illustration "No trespassing", where is applied: thru the path or go over the fence? ...