A survey by ThreatTrack demonstrates that the role of CISO is misunderstood and underappreciated by C-Level peers. It seems business executives do not have confidence that the CISO understands the business. It seems many executives make business decisions that have cyber risk without input from their CISO. Or the responsibility of cyber risk management and compliance is placed with the head of IT (CIO or director). Often the head of cybersecurity does not have an audienc

Cybersecurity Supporting Documentation In previous posts I outlined the required topics for cybersecurity policies and procedures. In this post I will cover the cybersecurity related supporting documents. The table below lists items or topics, that should be address either in supporting documentation. That means that these are not policies or procedures. This list is based on NIST standards including the Risk Management Framework, Cybersecurity Framework and PCI DSS. This t

In a previous post I outlined the required topics for cybersecurity policies. In this post I will cover the required procedures from various cybersecurity standards and in a future post will cover the cybersecurity related supporting documents. The table below lists items or topics, that should be address either in various procedures or SOP manuals. This list is based on NIST standards including the Risk Management Framework, Cybersecurity Framework and PCI DSS. Of course, y

What topics need to be covered in cybersecurity policies? In this post I will cover the required cybersecurity policies from various cybersecurity standards and in future posts I will cover cybersecurity procedures and cybersecurity related supporting documents. The table below lists items or topics, that should be address either in an overall cybersecurity policy or in individual policies. This list is based on NIST standards including the Risk Management Framework, Cyberse

As an IT auditor for local governments, one of the most often asked questions I get during audits is this: “Who should setup user access in the financial application?” There is a debate concerning whether it should be IT or finance staff that creates accounts and is involved with setting up access. My answer, as with many professional questions is, “it depends”. Specifically, it depends upon other controls that might be in place. What I like to do with clients is walk the

I often get called in to evaluate cybersecurity documentation, more specifically policies and procedures. One of the concerns is what to include in such documents. For local governments, it is often easy to borrow a policy or procedure from another local government. As a result, sometimes the policies do not reflect the organization’s culture and may miss items that are important to that organization. However, borrowing policies and procedures can get an organization up and

Some standards like PCI and NIST require policies that cover specific topics. Sometimes you will see a requirement for a policy and procedure around a given topic, and other times you will see a requirement that says “policy and procedures.” People often get hung up on the terms “policy” and “procedure,” and confuse the two. Here are some of the top questions I get about policies, procedures, and plans. Do I have to use the specific terms policy, procedure, or plan?

Many practitioners use these terms governance and management synonymously. While there is some overlap in practice, there are key differences between governance and management of information systems. For the highest-level stakeholders want to ensure the best use of IT within and organization. They want to ensure that they get the best “bang for the buck” so to speak, for their investment in technology. There is no use purchasing a new $100,000 technology, when a $25,000 w

People often ask for advice regarding information security or cybersecurity policies. For the remainder of this article, I will use cybersecurity and information security interchangeably. Nearly always it is a loaded question, exactly what do they mean by policy? Cybersecurity documentation for organizations comes in many levels and is influenced by a number of internal and external sources. Within an organization, there may be four levels of cybersecurity documentation.

According to the Verizon 2018 Data Breach Report, 93% of data breaches are linked to phishing or social engineering. With stats like that, you would think cybersecurity awareness would be a top priority for organizations. However, there have been some cybersecurity professionals who claim that awareness is not effective and won’t change individual behavior. I disagree with their pessimism, human behavior can be changed. In fact, advertisers pay millions of dollars for a su