A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 16: The Good, The Bad and The Policy
“He was staring at the instruments with the air of one who is trying to convert Fahrenheit to centigrade in his head while his house is burning down.”
Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 9 minutes ]
What does good look like?
When we’re thinking about cyber security, people often ask “what does good look like”? It’s a great question to ask, but answering it is challenging. It’s certainly more than just an absence of cyber attacks—we know that the threat of attack is ever-present (“when, not if”) and even companies with well-resourced security functions are susceptible.
Turn that question on its head. We might think we know what “bad” looks like, but that’s equally challenging to answer. Is suffering a major cyber incident an indication of “bad”? Not necessarily.
Cyber incidents themselves are the most extreme manifestation of vulnerability to attack. Organisations and the computer systems and networks they use are complex with many moving parts, any of which can have potential vulnerability which if exploited could result in some form of cyber attack.
It could be anything from a computer system running insecure software, someone leaving a USB stick on the train, a screen left unlocked while you make a coffee, or a helpful helpdesk junior who resets a password for someone without properly verifying their identity.
All of those are examples of poor security practice which have hit the headlines over recent years. While it’s impossible to prevent these incidents happening with absolutely certainty, your organisation can go a long way to creating the conditions where these are much less likely by having a strong policy framework in place.
Pillars of Security
In the last episode, I mentioned the 4 security pillars of technology, culture, assurance and governance (thanks again UUK). Of these four, the executive team has a leading role to play in three of them, and governance is front and centre. Policy has a strong part to play in this, but assurance is the flip-side of the governance coin. After all, you can have all the policies in the world, but they’re no use if they’re not being effectively enforced.
Security frameworks like ISO27001 and CIS outline around 30 or more policies for different aspects of security. How many of these you need to have to effectively govern information security is determined by the type and size of organisation. For example, some might want to have a “Cryptographic Key Management Policy”, whereas for others having a “Physical and Environmental Security Policy” which covers encryption methods alongside other security protections might be adequate.
Getting the balance right
Good governance is about getting the balance right, to provide enough of a steer without drowning in detail or being overly prescriptive. Policy should state the desired outcome, rather than the controls to be used to achieve it. For example, stating that “all data stored on removable media should be encrypted” is a clear outcome to achieve; the detail of how that is achieved can be left to guidance which can be revised as and when necessary. SANS has provided excellent guidance on security policy development, and provides a set of security policy templates (linked to the NIST Cybersecurity Framework).
In our experience, all organisations have an Acceptable Use Policy for staff and students, and most have Data Protection and Retention Policies. However, often there are few, if any, additional policies and plans governing information security. Firstly, you should have an over-arching Information Security Policy which outlines the organisation’s attitude to security. In addition, the most important ones to have in place are Patching Policy, Backup Policy, and Secure Working Practices Policy, and plans for Business Continuity, Incident Response and Disaster Recovery. I’ve discussed each of these in previous episodes.
Designing for Impact
For policies to be effective they need to be relevant, accessible and embedded.
They need to be kept under review to stay relevant and ensure they are fit for purpose. The policy review cycle should be no longer than every 3 years. Policy documents should clearly state when it was last reviewed and the next review date. Good policy document control means assigning each policy an owner and authoriser, and a note of what changes were made from the previous version.
The most obvious way to make policies accessible is using your document management system, such as an intranet or SharePoint site. Have them in one place, organised by function and searchable. A recent check of a university website listed over 470 policies covering 17 areas of governance. Don’t expect people to have to know the policy title or file name to find it. If I want to know what the policy is on encryption, I should be able to search for “encrypt” and find all the policies that mention this.
Link policies together. In episodes 11-14, I talked about Incident Response, Disaster Recovery and Business Continuity plans. These are distinct but intricately linked. Make it easy for people to reference these by embedding hyperlinks. And link to policy documents in other documentation (standards, procedures and guidelines).
Let’s face it, looking through policies is not most people’s idea of a fun time, and most people are unaware of most of their organisation’s policies, until it directly impacts them. But good governance means that managers at each level should know which policies are most relevant to their function, and where they need to ensure that they comply.
The ultimate goal is for policies to be embedded in everyday working practices, such that people are implementing the policy without necessarily being conscious aware of doing so. In other words, the policy documents what we do.
In most organisations, that is an aspiration rather than the reality and there’s a journey to be undertaken to get there.
Moving forward
That journey involves several elements. First up, training (see episode 15) should reference the relevant policies which apply, so these are seen in context. Second, processes should be designed to reflect the relevant policies. Third, you need a feedback mechanism so you know when policy is or isn’t working.
How do you know if your policies are being effective? Put simply, it’s whether the outcome expressed in the policy is being achieved. That implies some form of measurement. Key performance indicators can help. In the policy design, think about what measures you already have which can confirm whether policy is being implemented; alternatively, breaches of policy can be measured. For example, a monthly vulnerability scan can be used to identify occurrences of unpatched software to confirm whether a Patching Policy is being adhered to, or which systems are not being managed according to policy. Ideally, the KPIs or breaches of these will be easy to derive and won’t impose additional workload.
If you discover that KPIs are not being met, or that there are significant numbers of policy breaches, you need to take action. This could mean that the policy is not realistic or achievable and needs to be revised. Or that teams are not sufficiently resourced to deliver on these. Or that training and awareness programmes are inadequate and need to be improved. Or there’s a deliberate intention to breach policy (in which case a disciplinary process is invoked).
Executive teams lead front and centre on the policy issue. Done right, it provides strong governance, assurance of compliance, and embeds working practices, creating the culture that ensure that vulnerabilities don’t result in major incidents.
A final [deep] thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at supply chain risk management. “Getting the third party started”.
For now, you can take useful steps forward by checking out your organisation’s policies. Do you have a list of policies? Do you have the recommended information security policies in place? Are they are current, with last and next review dates? Are they accessible to all staff in an electronic format, with embedded links to other related policies and procedures? Are policy references embedded within your training programme? Are you measuring KPIs and policy breaches to determine how effective your policies are?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, Certified in Information Systems Risk and Control and is a member of the GIAC Advisory Board.