Cybersecurity Supporting Documentation In previous posts I outlined the required topics for cybersecurity policies and procedures. In this post I will cover the cybersecurity related supporting documents. The table below lists items or topics, that should be address either in supporting documentation. That means that these are not policies or procedures. This list is based on NIST standards including the Risk Management Framework, Cybersecurity Framework and PCI DSS. This t
In a previous post I outlined the required topics for cybersecurity policies. In this post I will cover the required procedures from various cybersecurity standards and in a future post will cover the cybersecurity related supporting documents. The table below lists items or topics, that should be address either in various procedures or SOP manuals. This list is based on NIST standards including the Risk Management Framework, Cybersecurity Framework and PCI DSS. Of course, y
As an IT auditor for local governments, one of the most often asked questions I get during audits is this: “Who should setup user access in the financial application?” There is a debate concerning whether it should be IT or finance staff that creates accounts and is involved with setting up access. My answer, as with many professional questions is, “it depends”. Specifically, it depends upon other controls that might be in place. What I like to do with clients is walk the
I often get called in to evaluate cybersecurity documentation, more specifically policies and procedures. One of the concerns is what to include in such documents. For local governments, it is often easy to borrow a policy or procedure from another local government. As a result, sometimes the policies do not reflect the organization’s culture and may miss items that are important to that organization. However, borrowing policies and procedures can get an organization up and
Some standards like PCI and NIST require policies that cover specific topics. Sometimes you will see a requirement for a policy and procedure around a given topic, and other times you will see a requirement that says “policy and procedures.” People often get hung up on the terms “policy” and “procedure,” and confuse the two. Here are some of the top questions I get about policies, procedures, and plans.
Do I have to use the specific terms policy, procedure, or plan?
Many practitioners use these terms governance and management synonymously. While there is some overlap in practice, there are key differences between governance and management of information systems. For the highest-level stakeholders want to ensure the best use of IT within and organization. They want to ensure that they get the best “bang for the buck” so to speak, for their investment in technology. There is no use purchasing a new $100,000 technology, when a $25,000 w
People often ask for advice regarding information security or cybersecurity policies. For the remainder of this article, I will use cybersecurity and information security interchangeably. Nearly always it is a loaded question, exactly what do they mean by policy? Cybersecurity documentation for organizations comes in many levels and is influenced by a number of internal and external sources. Within an organization, there may be four levels of cybersecurity documentation.
Here is a sample high-level cybersecurity policy for a city, district, or county. It is designed to be a high-level statement adopted by city council, supervisors, or board of directors and leave detailed policies and procedure at a lower level. The reason is detailed policy and procedure may need to change regularly and there is no reason to continuingly go back to council or board for detail changes. It is appropriate for department heads to accept the risks to their oper
According to the Verizon 2018 Data Breach Report, 93% of data breaches are linked to phishing or social engineering. With stats like that, you would think cybersecurity awareness would be a top priority for organizations. However, there have been some cybersecurity professionals who claim that awareness is not effective and won’t change individual behavior. I disagree with their pessimism, human behavior can be changed. In fact, advertisers pay millions of dollars for a su
From the way-back machine. Almost two decades ago when I did IT services for clients I came up with this as an information sheet for clients. Basically, giving them a high-level overview of a IT Ops framework. I did this before Microsoft Operations Framework (MOF) or ITIL were on my radar. Here it is below. Our philosophy on managing systems. "We help our clients succeed by helping them secure and manage their technology investment." Our three-phase approach is to organiz