If you are asked to formulate corporate cybersecurity policies, here are some advices:
- Identify key stake holders that will be affected by the to-be directives
- Get support from senior management to setup a task force with the representatives from stake holders
- Establish ground rules for all members such that the policy context is consistency because the members are from different background with different interests
- The organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the business
- The policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)
- Must also be enforceable or else just a document in the bookshelf
- Review if the stated measures will really make the system/infrastructure more secure or just copying academic template?
- Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?
- Example: only organization devices are allowed to connect to the organization network
- Precise specific: organization devices … not BYOD, not business partners’
- Precise generic: devices … could be notebook, desktop, server, NAS, IP cam, IP phone, access control device, digital display board … etc
- NOT precise: organization network, what about guest WiFi, remote access from outside by non-organization device?
- The proper clause: only organization devices are allowed to connect directly inside the organization network
- Lobby with internal audit teams to get consensus for grace period
- Communicate the policies requirement before making it effective
- Review for revision periodically after publish
For the illustration, is it “13” or “B”? It is subject to interpretation.