Malware Manual – Part 2: Building Your Cybersecurity Policy
Is your organization among those fortifying
its cybersecurity team? If so, congratulations. You’re among the minority of
small to mid-size businesses (SMBs). The shocking facts are:
SMBs are short-staffed for cybersecurity.
don’t budget for cybersecurity.
many are in the dark about data breaches.
Those realities are among the reasons we
encourage readers adhere to the Cybersecurity Framework developed by the National Institute of Standards and
Technology (NIST). The first tenet of the framework is “Identify,” and one part
of this initial phase of improving your cybersecurity posture is developing
“risk management strategy.” And perhaps the most essential element of any
business strategy is crafting policy.
How do you build a cybersecurity policy? We
found a step-by-step primer in CSO magazine by infosec
expert Jennifer Bayuk. Here’s a digest of what Bayuk recommends should go into
your cybersecurity policy, with a few instances of our particular spin on the
- Scope –
all systems, facilities, programs, data, networks and technology users,
of information should be
content-specific – e.g., “financial” or “customer” data -- not generic,
such as “confidential” or “restricted.”
- Set management
goals for secure handling information in each classification you
cybersecurity policy in context with other management
directives and documents. In short, your cybersecurity should be
consistent with all other management policies – and endorsed by all your
references to supporting documents (e.g., roles and
responsibilities, process, technology standards, procedures, guidelines,
- Give specific
instructions with mandates – e.g., “All access to any computer
system requires identity verification and authentication – no sharing of
individual authentication mechanisms.”
- Designate specific
responsibilities – e.g., “Individual system users are responsible
for changing passwords on a quarterly basis
- Establish specific
penalties for failing to comply with policy – for personnel and
partners alike. And put some teeth in those consequences, such as
dismissal for employees and contract termination for vendors.
After tackling items one through eight, Bayuk stresses
– and we concur – that securing support from your leadership team should be
your highest priority, as consensus will lend authority to enforcement.