If you are asked to formulate corporate cybersecurity policies, here are some advices:

  • Identify key stake holders that will be affected by the to-be directives
  • Get support from senior management to setup a task force with the representatives from stake holders
  • Establish ground rules for all members such that the policy context is consistency because the members are from different background with different interests
  • The organization business environment and priorities must be clearly understood because the policies are to apply optimal controls to protect the business
  • The policies must be achievable (otherwise immediately causing non-compliance or requiring permanent exception)
  • Must also be enforceable or else just a document in the bookshelf
  • Review if the stated measures will really make the system/infrastructure more secure or just copying academic template?
  • Avoid ambiguity, make the context precise in the way precise generic and precise specific; Sound contradicting?
    • Example: only organization devices are allowed to connect to the organization network
    • Precise specific: organization devices … not BYOD, not business partners’
    • Precise generic: devices … could be notebook, desktop, server, NAS, IP cam, IP phone, access control device, digital display board … etc
    • NOT precise: organization network, what about guest WiFi, remote access from outside by non-organization device?
    • The proper clause: only organization devices are allowed to connect directly inside the organization network
  • Lobby with internal audit teams to get consensus for grace period
  • Communicate the policies requirement before making it effective
  • Review for revision periodically after publish

For the illustration, is it “13” or “B”? It is subject to interpretation.

Leave a Reply