Cyber Security Policy considerations and Governance –

Beyond Compliance Needs Let us start at the top. Often times, all the well-intentioned, painstakingly written reams of policies fail to be

    Published on
Venu Y.

Follow Following Unfollow Venu Y.

Sign in to follow this author

Beyond Compliance Needs

Let us start at the top. Often times, all the well-intentioned, painstakingly written reams of policies fail to be effective. How often does the leadership even revisit these policies? Why do employees dread and hate policies and look at them as restrictive and a nuisance?

Before we proceed, let me state the scope of this article. Broader jurisdictional cybersecurity policies lay the directional and compliance aspects for any commercial or other enterprise to operate within. The policy governance considerations I am focusing on is limited to what enterprises need to consider and how to approach creating and maintaining those policies. We also know that policies will guide the standards, baseline and procedures for the operational aspects and implementation of a cybersecurity program.

We all know the myriad of policies, where we end up signing on the dotted line blindly without ever understanding the implications. All of us, grudgingly, have to accept the reality of the litigious society we live in, which necessitates all that legalese. However, when it comes to policies that matter in the cybersecurity space for an enterprise, we need to simplify them and make them effective. I remember some time ago, even Google came up with a very simplified version of a user policy and avoided all the fine print. I am sure every stakeholder would appreciate something like that.

There are many policies which end up being “Cut and Paste” from a template. Sure, using a template might help with some of the legal jargon and protections and liability lingo, but relevance and contextualizing are the most critical aspects of a policy.

Any enterprise should base their policies on certain fundamental constructs around these principles:

Risk-based, technology agnostic, outcome-oriented and measurable

Flexible and adaptable to encourage innovation

From a government point of view, cybersecurity policies should cover the following strategic focus priority areas, and these will change based on current market and societal needs:

A. Nation State Cyber Threats

The next warfare is in the cyber domain and threatens the human race. Cyber threats can be equated to WMD – without being overly melodramatic.

B. Internet of Things – IOT

Everything is connected to everything and one weak link is enough to bring down the whole chain and cause havoc. Standards are evolving but not fast enough to keep pace with the explosion of devices connecting to the web every day. Government policies and standards might be essential to protect citizens.

C. Encryption

Encryption is being used very effectively as an evasive means by cybercriminals to hide their activities, and government needs to figure out effective policies to deal with the exceptions and national security needs, while ensuring citizens’ right to privacy.

D. Financial Services and Critical Infrastructure

Government constantly re-evaluates risks to critical infrastructure and looks at policy guidelines that enterprises can follow and should comply to.

E. Consumer Privacy – Protection

The boundaries of commercial and other forms of data exchange and transactions know no borders. While looking at data privacy policies, an enterprise should look at their customer base, both existing and potential, and account for government regulations and laws such as GDPR and GBLA, among a host of others.

Enterprises need to take those guidelines, mandates from the jurisdictional policies and incorporate those into their own cybersecurity policy framework. I would highly encourage anyone responsible for preparing these policies, especially cyber security policies, really pay attention to the following fundamental elements

Purpose is as simple and fundamental as looking at what outcome is expected. Don’t complicate it. Look at how you measure its effectiveness. Cybersecurity policy purpose should be for the following reasons:

o Protecting the CIA triad – ” Confidentiality, Integrity and Availability ” of customers, employees, partners, and assets across the data information supply chain

o Safeguarding people and data assets from potential breaches

o Safeguarding and protecting shareholder value in the company’s stock

o Ensuring business continuity and effective execution of all functions at all times

o Establishing effective and acceptable use guidelines of all data assets

o Compliance with the jurisdictional laws and obligations

Compliance to any policy, in letter and spirit, should be felt as in the “complying party’s” interest and only then will policies be meaningful and effective.

Stakeholders, who are the target of this specific policy, should be considered before drafting and rolling out a policy. For example, if a security policy of acceptable use of BYOD is going to frustrate the employees and make them feel like a burden to comply with, then it is bound to be ineffective and you will fall short of your objective. The following need to be accounted for from the stakeholders’ point of view:

o Consider stakeholders across the spectrum and their needs and anticipated behaviors

o Consider workshops and getting their input, and incorporate those into the policy

o Consider their motivations and their “What’s in it for me?” questions

Awareness is essential for compliance, and many policies are not effectively presented to the stakeholders. There are many policies where users are expected to comply and might face consequences for non-compliance. Ensure stakeholders are aware of the policy purpose and expectations. Consider the following:

o Awareness should address purpose and drive adoption

o Awareness should also cover the expectations very effectively

o Awareness should be an ongoing activity to remind stakeholders of expectations, compliance, and consequences of non-compliance

o Legal compliance liabilities and effective enforcement of deviation should be communicated in a way they can appreciate and adhere to

Adoption will be easy when you have addressed all the other aspects mentioned above, the critical aspect being the “buy-in” and a willing participation of stakeholders. This mostly increases with proper awareness, education, and enablement, which means your policies should provide for those ‘means.’

Please share your thoughts and share this article if you find it informative I will be sharing my points of view and experiences in the coming days and weeks on diverse aspects and domains of Cyber Security Venu YeduGondla, CISSP, SAFe, SAPM, CSM … Cyber Security advisor, Awareness Champion and evangelist

Adaptation is where the policy life cycle should account for a periodic review, policy success measurements, and revision, to adapt to changing needs and improvisations. This notion of policies being set in stone is a very bureaucratic form of thinking and doesn’t deliver an effective cybersecurity program.

Just to recap, cybersecurity policy governance should really be about tailoring policies to meet compliance, enterprise architecture, business model, and the culture of the enterprise. It is about effective policies that drive adoption and keeping the enterprise safe.

Browse

Article by channel:

Read more articles tagged: Security Governance