Malware Manual – Part 2: Building Your Cybersecurity Policy

1/9/2019

Malware Part 2Is your organization among those fortifying its cybersecurity team? If so, congratulations. You’re among the minority of small to mid-size businesses (SMBs). The shocking facts are:

  • Most SMBs are short-staffed for cybersecurity.
  • Many don’t budget for cybersecurity.
  • And many are in the dark about data breaches.

Those realities are among the reasons we encourage readers adhere to the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The first tenet of the framework is “Identify,” and one part of this initial phase of improving your cybersecurity posture is developing “risk management strategy.” And perhaps the most essential element of any business strategy is crafting policy.

How do you build a cybersecurity policy? We found a step-by-step primer in CSO magazine by infosec expert Jennifer Bayuk. Here’s a digest of what Bayuk recommends should go into your cybersecurity policy, with a few instances of our particular spin on the issue:

  1. Scope – all systems, facilities, programs, data, networks and technology users, without exception.
  2. Classifications of information should be content-specific – e.g., “financial” or “customer” data -- not generic, such as “confidential” or “restricted.”
  3. Set management goals for secure handling information in each classification you create.
  4. Put cybersecurity policy in context with other management directives and documents. In short, your cybersecurity should be consistent with all other management policies – and endorsed by all your senior executives.
  5. Include references to supporting documents (e.g., roles and responsibilities, process, technology standards, procedures, guidelines, etc.)
  6. Give specific instructions with mandates – e.g., “All access to any computer system requires identity verification and authentication – no sharing of individual authentication mechanisms.”
  7. Designate specific responsibilities – e.g., “Individual system users are responsible for changing passwords on a quarterly basis
  8. Establish specific penalties for failing to comply with policy – for personnel and partners alike. And put some teeth in those consequences, such as dismissal for employees and contract termination for vendors.
After tackling items one through eight, Bayuk stresses – and we concur – that securing support from your leadership team should be your highest priority, as consensus will lend authority to enforcement.