CISO DRG Vol 1: Chapter 7 – Risk Management and Cyber Liability Insurance

Introduction

In this chapter, we will talk about the one fundamental issue that drives most CISOs and influences how they create and manage their security programs. That issue is risk. Our authors will note that there are numerous types of risk facing an organization from both an internal and external perspective. They will also discuss the various components of risk and the impact on an organization when risk is not managed correctly. The discussions that follow will highlight our authors’ unique viewpoints on risk in its different forms and how to accomplish risk management through security controls and new tools such as a cyber liability insurance policy.

Our authors collectively believe risk is one of the primary drivers that influences an organization and its ability to be successful. Because of risk’s enterprise-wide impact, our authors believe the modern CISO must understand their organization’s industry, regulatory requirements, and strategic initiatives. This business context will provide critical insight for CISOs as they use their security program, policies, tools, and cyber insurance to protect their organization and reduce its risk exposure to an acceptable level.

Bill highlights the four fundamental approaches that organizations will use to manage their risk. He provides a thorough analysis of how the risk management function within the organization has changed due to many of the dynamic threats now facing enterprise business environments. He describes the multitude of ways that risk can impact an organization, and from his in-depth experience provides several options that organizations can use to mitigate risk and its impact on their business operations.

Matt approaches the discussion of risk through the lens of cyber liability insurance. He breaks down how to view the management of risk through tools like an insurance policy and how to leverage this new capability for the organization. In his discussion, Matt emphasizes that for the CISO to consider using cyber insurance, they must have an understanding of the current risks facing the business, the present risk management controls in place, and the resultant gaps to address. He believes that with this knowledge a CISO is in a better position to help their organization reduce its risk exposure by implementing an appropriate cyber insurance policy.

Gary begins his discussion on risk with the pragmatic viewpoint that for CISOs to be productive in mitigating the risks facing their organization they first must establish a risk baseline. The CISO must understand what is critical to the organization and must have executive management support to prioritize cyber risk correctly. Gary delivers a thorough treatment of cyber insurance and its numerous components and provides recommendations on how to use cyber liability insurance as a tool to protect the organization.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How to I assess my organization’s current cybersecurity status? What do I need to protect first?

♦  What must my executive team do to prioritize cybersecurity in the organization? As CISO, what components and policies must be part of my cybersecurity program to effectively manage risk and keep my executive team informed?

♦  Should my organization consider cyber insurance to reduce its risk exposure? What do policies cover and not cover? What types of coverage should my organization consider (first party/third party)?

Cybersecurity, Risk Management and Cyber Insurance – Hayslip

Across our planet, the Internet is making inroads into every society as technology moves forward exponentially. With this increase in connectivity, we see new business platforms and societies reaping the benefits of access to new business opportunities and services.

However, there is a dimmer view of this fantastic growth in technology. With every tool used for one’s benefit, there is always the dark side of how it can be used to one’s detriment. This drama of how criminals use technology against organizations highlights the unique position of the CISO.

An organization’s CISO is the subject matter expert on the dilemma of this dark side. It is considered essential that the CISO understands the organization’s risk exposure to cybercrime, compliance and regulatory issues, and new evolving threats. To do this effectively, the CISO must establish an executive-sponsored cybersecurity program, create relationships within their organization’s internal and external stakeholder communities, and continuously evaluate their organization for risk and take immediate steps to protect it from harm.

You Want Me to Protect What?

As we begin our first discussion, it is incumbent on me to remind you that the CISO is the focal point for an organization’s effort to deploy cybersecurity as a service (CaaS) and reduce the company’s risk exposure to its current technology portfolio. As previously mentioned, one of the first steps a CISO will take is to establish an executive-sponsored cybersecurity program.

This program will be the platform that a CISO can employ to gain a better understanding of the organization’s exposure to technological risk and create a mitigation plan for how to address it based on the organization’s business requirements. As it matures, this security program will also provide a foundation for the CISO to pivot from and use new workflows, security controls and technologies to enable the business to understand its risks and its partners’ risks and reduce them where appropriate.

To begin our first discussion, we will talk about cybersecurity and the inherent risk it manages for the business. We will also discuss how the CISO gains visibility into the corporate enterprise environment and how to use this knowledge for the betterment of the cybersecurity program and the company’s strategic business plans. So let’s discuss how you, as CISO, will approach this first question and how you should proceed to look for viable answers. “How do I assess my organization’s current cybersecurity status? What do I need to protect first?”

To begin our discussion, let’s first understand what type of risk we are concerned about as a CISO. In our position, we must realize “inherent cybersecurity risk,” which is the risk posed by an organization’s business activities and its connections to partners, as well as any risk-mitigating controls that are currently in place. An organization’s cybersecurity risk incorporates the type, volume, and complexity of its cyber operational components. These are the types of connections used by the applications and technology required by the organization to conduct its business operations.

Figure 7.1 COSO Enterprise Risk Management Framework

To understand this risk, we must approach the business departments within the organization and gain insight into how they do work. We must understand the applications, data, workflows, and technologies that are required by their personnel and any projects they wish to initiate to improve their capabilities. To collect this information quickly and effectively, I would suggest you begin with an enterprise risk assessment. I have completed several of these in the past and would recommend using a framework like the NIST Risk Management Framework or the COSO Enterprise Risk Management Framework. These frameworks will provide you with a solid foundation to begin your discussion about risk within your enterprise.

As you begin your assessment, there will be components that will require you to interact with your various business departments directly. Use this assessment as an opportunity to start building the relationships you will need as a CISO. Your stakeholders have critical knowledge about your organization, and you will need them to help your program mature and grow a cyberculture within these departments.

As you work with these stakeholders, you should seek to gain the insight that you will need as a CISO, which is to understand what assets you must protect for the organization to be successful.

Questions for the CISO to Gain Insight to Critical Assets

♦  Do I understand which applications and services are critical for my organization?

♦  Do I know what data these critical applications create and where this data is stored and backed up?

♦  Does my organization have formal agreements with its critical partners that allow us visibility into how they are managing their technology-based risks??

♦  Does my executive leadershipteam understand what threats and vulnerabilities are being used by our adversaries to target the products the company presently has it its technology portfolio?

As you begin discussions with your stakeholders, there is one crucial point I want you as CISO to pay attention to and document. This critical point is the tone that you and your teams get from these stakeholders on anything associated with your cybersecurity program. Most boards of directors only speak about cybersecurity when there is a breach. If the board is routinely addressing security and senior executive management is sponsoring your security program, you should see the beginnings of cybersecurity awareness taking root in the organization’s culture.

However, if this is not the case, it will be harder for you to get accurate information when conducting your assessment. I bring this point up because it will give you much-needed insight into how you should address your stakeholders and the responses you might receive from them.

As a CISO, I have found in the past that there will be departments that will want to work with me as a partner and departments that will try to ignore me. Those that were partners I treated as equals in the process, and I championed their projects at tech review. I also included their inputs in new security policies and work processes and requested their assistance with my reluctant departments to eventually grow the trust required to conduct a full cyber risk assessment with all departments.

So back to our cyber risk assessment. As CISO you should also review current practices and overall company preparedness. Several critical processes that should be a focus of the risk assessment are:

  1. Risk Management and Governance” – this component is about strong governance with clearly-defined roles and responsibilities. There should be assigned accountability to adequately identify, assess, and manage risks across the organization. How well does management account for cyber risk when implementing new technologies? Is there a formal process to review and mitigate issues as required? It is also in this process that we look at our personnel, who are the company’s first line of defense. It is here that we address whether the organization is providing cyber awareness trainingto employees and whether this training is effective in providing employees with an awareness of ongoing cyber risk.
  1. Threat Intelligence and Collaboration” – this component is about the processes the business has in place to collect and analyze information to identify, track and predict the intentions and activities of your adversaries. This information can be used to enhance your decision-making capabilities, providing needed visibility into the risks associated with large strategic projects. Participation in information-sharing forums such as CERT, NIST, InfraGard, MS-ISACor FS-ISAC is considered critical to the CISO. A vital element of the CISO’s job is assisting with organizational risk management and the information from these partners is instrumental in the CISO’s ability to identify, respond to, and mitigate cyber threats/incidents.
  1. Security Controls” – this component focuses on the employment of security methodologies that can be preventive, detective, and corrective. Most organizations will use preventive controls, controls that are focused on preventing unauthorized access to enterprise assets. However, a mature cybersecurity program will employ multiple control types, interwoven to provide more resilient coverage against the changing cyber threat landscape. The types of controls that can be deployed to work together are:
  • Preventive Controls– processes such as patch management and encryption of data in transit or at rest. These controls need to be periodically reviewed and updated as the organization’s technology portfolio
  • Detective Controls– tools that are used to scan for vulnerabilities or anomalous behavior. Some of these controls are anti-virus/anti-malware solutions or new endpoint solutions.
  • Corrective Controls– these are controls designed to fix issues. Examples are organizational policies such as change management, patch management, and third-party vendor management.

With the deployment of these controls don’t forget to ask yourself “what are the processes for implementing them?” Are these security control processes documented and are they periodically reviewed? What are the procedures to mitigate risk identified by these processes? As you can see, controls are like children. They will need to be fed, monitored, cared for and, as they mature, updated to ensure they effectively provide value to the organization.

  1. External Third-Party Management” – this component is about the management of connectivity to the business’ third party providers, partners, customers, and others. What processes/policies should the company have in place to manage these relationships? Part of this component will be organizational directives that document company policy for executing contracts with third-party entities. Does current contract policy spell out what types of connections you require to corporate networks? Does current contract policy spell out what data will be required and document who will access it? Does current contract policy include as part of the contract a “verification of risk standard” concerning the external partner’s disaster recovery/incident response plans?
  1. Incident Management” – this component is critical for the organization. It focuses on cyber incident detection and response, mitigation of identified risks, incident escalation/reporting procedures, and overall cyber resiliency. In the assessment process, you will need to identify whether the business has documented procedures for the notification of customers, regulators, and law enforcement concerning a breach. You will also need to verify that you periodically report metrics you collect on this component and its maturity to senior management. One last essential process to verify through this risk assessmentis “does the organization have documented Disaster Recovery and Business Continuity plans?” In answering this question be sure to verify that you test the plans, there are communication policies in place, and there is a documented process for how to include trusted third parties for effective communications.

As you can see from our discussion so far, in assessing the organization to develop a more thorough understanding of its inherent cybersecurity risk, you will generate an inordinate amount of data. This data focuses on the essential technology and business process components required by the organization to execute its strategic business plans. This information will be extensive and can be overwhelming, especially if the organization has numerous business verticals and international business channels. However, as CISO you now have a decision to make, and that is “what do I protect first?” Not all assets are created equal, and now it is time to prioritize with your stakeholders which ones require the most protection and the focus of your cybersecurity risk management program.

As CISO, you use a process called “asset classification” to decide the level of protection dedicated to an asset. You will find that organizations tend to overprotect assets and data. In the world of technology, not all data and assets require the same level of protection. As CISO, you will want to understand what assets make up the category of “most valuable assets” as prioritized by the business stakeholders. This means that your stakeholders will assist you in prioritizing what is important to them. A good rule of thumb to help you in this process is to ask, “If these assets are stolen, compromised, misused, or destroyed, would this result in significant hardship to the organization?” If the answer is yes, then they are critical assets and will require added protection. Once you have this list, you will also need to understand their location and, most crucially, who has access to them.

I am sure by now you are wondering what baseline should be used to assist the organization in grading these assets. You know that you will be working with the business’ various departments to identify what assets are critical and you have some excellent questions to ask yourself as you review the data you collect. However, there is a methodology for determining what is essential and requires extra protection. Some steps I would recommend are as follows:

  1. Identify the critical assets and business processes – following the steps I listed above, work with your stakeholders to create a prioritized list of essential assets. Some examples of asset types that fall into this category are trade secrets, market research, trading algorithms, product designs, people, and R&D research.
  1. Determine the assets’ value to the organization – “one size fits all” doesn’t apply when you are assessing technology, work processes, and data types. I gave you some questions to measurethe criticality of the assets under scrutiny. However, there is also the topic of compliance. You will have asset types that fall under a regulatory/compliance regime, and as such, they will have laws and fines associated with them. What this means to a CISO is that once you have your prioritized list, you will still need to review it for any items that are governed by compliance and move them towards the top of the list. You will want to ensure your business has visibility on compliance-related assets when they help you set the priorities for this list.
  1. Determine the risk toleranceof the organization – once you have identified and ranked the organizations’ assets, you need to determine how much risk the business is willing to accept. This idea of risk tolerance focuses on how much protection the business is willing to employ provided it doesn’t interfere with its ability to conduct operations. I have found, as CISO, that there will be times where a critical asset will not receive a specific level of protection for fear of degrading a business process. This becomes a risk the organization is willing to accept, and it is one you will need to document and develop other compensating security controls or methodologies to monitor and manage. The critical part of this step is listing those assets that have degraded protection, developing compensating controls to mitigate as much risk as possible, and then documenting the residual risk for monitoring and hopefully future mitigation.
  1. Set appropriate levels of protection for each asset type – This last step is a recommendation for organizations with large numbers of assets. I have used this step to separate my data into asset groups prioritized in the previous steps. Now with these identified groups, you can establish a level of controls that apply to the specific asset types, and you can determine who has responsibility for the assets. With responsibility identified, you can create a matrix of management to document who is responsible for the assets, who can make decisions about whether to accept or mitigate risk, and who will assist you and your teams in remediating any security issues.

One final aspect of identifying what needs to be protected and establishing an appropriate level of security is developing training scenarios for staff to protect their assigned assets. The CISO is expected to not only understand the complexity of risks facing the organization but know how to mitigate any cyber-related incidents quickly. This is why you will want to create training scenarios. With the work previously completed in assessing the organization’s cyber risk maturity level and establishing what assets are critical, the CISO can now take these training scenarios and include them as an appendix to the organizational incident response manual. These scenarios should be used to test the organization’s response to the ongoing list of threats it faces on a daily basis and assists it in improving its business continuity.

Cybersecurity Must Be a Priority, or Is It?

The Information Systems Audit and Control Association (ISACA) completed an international survey in 2018. This survey, titled “State of Cybersecurity 2018” (ISACA 2018), had over 2,366 cybersecurity managers and security professionals respond. It confirmed that the rate of cyber incidents continues to grow at an alarming rate and the sophistication of attack methods is evolving. Two interesting statistics from this report that I found particularly daunting were that 75% of respondents reported that they expect their organizations to fall prey to a cyberattack this year, and 60% felt their security staffs were not mature enough to handle anything beyond simple cyber incidents.

I am sure you are asking, “Why is this important?” Well, the reason is that as CISO it is your job to understand the maturity of your organization concerning cybersecurity. It is also your responsibility to ensure that your organization is prioritizing the risks your security program is designed to manage and if it is not, that you have the policies and procedures in place to educate your organization’s officers and directors accordingly. This brings us to our next topic of discussion, “What must my executive team do to prioritize cybersecurity in the organization? As CISO, what components and policies must be part of my cybersecurity program to manage risk and keep my executive team informed effectively?”

Corporate laws in every state of the United States impose fiduciary obligations on all officers and directors of companies. To fulfill these obligations, the senior management and board of directors must assume an active role in the governance, management and corporate culture of their respective organizations. In fulfilling these obligations, they must address issues that would put their business at risk. One of the greatest risks they face today is how the organization responds to the threat of cybercrime.

I like to think that organizations come together under the umbrella of cybersecurity, with the board of directors leading the effort, combined with multiple organizational components, including business units, HR, Compliance, finance, internal audit, and procurement. Through collaboration with the CISO and his or her team they can effectively execute the organization’s cybersecurity strategy – cybersecurity does not flourish in a vacuum. For this collaboration to happen, it must start at the top with the executive team. This team must demonstrate, through its actions, that cybersecurity is a priority for the business. Some specific actions that a CISO should observe from their board of directors and executive leadership teams that indicate that cybersecurity is a strategic priority are as follows (Foley & Lardner LLP. 2015):

♦  Members of the executive staff are educating themselves on the risk to the organization from cybercrime.

♦  Leadership is reviewing the status of the corporate cybersecurity program and requesting periodic updates of its maturity level and the status of any outstanding issues.

♦  The executive staff is reviewing current security plans and standing policies.

♦  Leadership is prioritizing cybersecurity projects.

♦  The board of directors and executive leadershipare requesting briefings on incident response and disaster recovery policies and any testing results. They are especially asking for information on how the organization will manage a breach and if this policy has been tested recently.

♦  Executive leadership and the organization are aware of the risk from current third-party relationships and procedures have been put in place to document and mitigate this risk to the organization.

♦  Policies are in place for the business to document and manage technology risks associated with all new third-party relationship decisions.

As the above steps demonstrate, the CISO and his/her team will be involved in assisting company leadership in addressing and reducing the risk of cybercrime. However, even with these steps, we need to remember that every organization that uses technology and employs risk reduction controls is still exposed to cybersecurity threats. Because of this evolving exposure, it is essential that corporate cybersecurity and risk management programs be integrated into the strategic operations of the company to minimize any disruptions concerning cyber incidents. For this type of well-managed program to exist, executive leadership will need to be actively involved, and the CISO will need to work with his/her leadership teams to effectively demonstrate a “standard of reasonableness,” or as it is known in the legal profession a “standard of care.”

What this means to the CISO and the executive team is a legal determination that the organization is conducting a cybersecurity risk reduction program with applicable standards of care and best practices to reduce its risk exposure. This determination is important because we know as cybersecurity professionals that breaches will occur; however, with an engaged executive team and a mature cybersecurity program, we can demonstrate that the organization is taking all reasonable steps to protect itself and the interests of its stakeholders.

Understand that in the triage of a breach cleanup many of the organization’s steps to prioritize cybersecurity will be evaluated to determine if the organization committed appropriate financial, technical, and human resources to the cybersecurity and risk management programs. The answers to these questions are critical. They could either lead to proper payments from the organization’s cyber insurance policies or the opposite, lawsuits from partners and customers who seek to recover from losses generated by the resultant cyber incident.

Gary Hayslip

CISO DRG Vol 1: Chapter 8 – Tools and Techniques

Introduction

In Chapter 8, we discuss our views on tools and techniques that the CISO can use to validate an organization’s security controls. Each of us provides guidance on how we have used specific tools and techniques and will examine the importance of understanding a tool’s role in mitigating risk and providing actionable information. All of the authors emphasize the importance of collaborating with stakeholders to select the best approach for deploying new critical processes and using tools to measure their maturity.

Through the aggregate of their different approaches, the authors provide the new CISO with a unique opportunity to understand the importance of tools and critical strategies to an organization and their detrimental impact to business operations if not implemented correctly.

Bill approaches this discussion of tools and techniques for CISOs by focusing on the connection between the people on our team, the tools they use, and the continual improvement that is necessary to keep up with the evolving threat landscape. To Bill, knowing which business processes are most critical allows us to invest our limited resources in the best outcome.

Matt starts his discussion with the statement that common sense is one of the best tools a CISO can use to protect their organization. He states that with common sense and some context on the processes that devices are used to serve, the CISO can often provide better service to the company than by purchasing new technology. Matt makes the case that through the use of tools such as a Business Impact Assessment (BIA), the CISO can collaborate with his/her fellow stakeholders to understand the organization’s risks, resulting in a selection of techniques and tools more finely tuned for its strategic business operations.

Gary begins his discussion with a list of best practices he has compiled over the years that an organization and a mature cybersecurity program should use to reduce risk exposure. Gary then provides a list of recommended techniques a CISO and the security program should apply to sustain a more business-centric “cybersecurity as a service” approach. He concludes his discussion by listing and describing the various domains of standard tools that are available to organizations and their security programs to protect enterprise assets.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What best practices would I recommend that new CISOs implement to reduce risk and provide value to their business?

♦  What actions or techniques can the security program proactively take to better protect organizational assets and preempt threats?

♦  What are some core tools/solutions that I would recommend to a new CISO to support cybersecurity operations?

Tools and Techniques – Bonney

In this chapter, we’re going to cover tools and techniques with an equal emphasis on both process and technology. The temptation among those of us in the technical fields is to think tools first. While tools are often helpful in solving various process problems, an over-reliance on tools is often expensive and usually decreases the effectiveness of any given program. The outcome of working through this chapter should be a roadmap that will allow you to right level your processes for your current requirements and build a technology roadmap for your future needs.

Build the Process Inventory

We’re going to start with a critical data-gathering step. Whether inheriting a mature program or building a new program, the crucial first steps are to document your process inventory and take stock of the tools your organization uses to assist with each process. It’s fundamental that you focus first on your process inventory, understanding how these processes map to your organization’s business objectives. Make sure you completely understand what you are protecting, and from what threats. Know how you are reporting the effectiveness of these processes to management and communicating expectations to your entire organization. It’s important to keep these points in mind as you inventory your tools and map that inventory to your process inventory.

To make sure you get a complete list, use the same information security framework you use for measuring and reporting. In Chapter 5 on measuring and reporting, I listed several options for security frameworks and standards that you can use to determine where you need to have processes and controls in place. PCI-DSS with its 12 high-level requirements and 300+ detailed requirements is a necessary standard for any portions of your network that handle payment card data. Likewise, NIST 800-53 with its 18 security control families and detailed implementation guides provides a wonderful blueprint for a robust collection of processes. Finally, the CISSP 8 Practice Domains and CIS Critical 20 Security Controls provide an inventory of critical must-have processes with which to build a robust program. Any of these will help you create a baseline of processes upon which you can build your inventory and perform your assessment.

Bill Bonney

CISO DRG Vol 1: Chapter 9 – Security Policy

Introduction

In our last chapter, we review one of the core topics that all security and risk mitigation operations revolve around – the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain the requirements for specific processes, including who has the responsibility for process execution, and specify the resources required for mature operations. For many organizations, not having the correct policies in place can significantly impact its ability to defend itself against cyber criminals and can degrade the ability to recover from a cyber incident. It is the responsibility of the CISO and executive management to have the correct policies in place, ensure the organization follows the policies, and periodically update them as the business/technology environment changes.

In this chapter, we will provide insight into the recommended policies an organization should have in its portfolio and describe in detail the components of a corporate information security policy. The authors approach this subject from different viewpoints, and you can rightfully assume that their wealth of experience on this subject demonstrates the importance of security policy for the CISO.

Bill provides his viewpoint that information security policies are foundational to an organization. He discusses the relationship between policy, standards, guidelines, and procedures. Throughout, he notes how important it is to maintain the connection between business objectives and the organization’s policies. Finally, Bill asserts that “policy has a purpose,” that it is written for action, and he elaborates on the principles and steps for establishing an effective cybersecurity policy.

Matt states that CISOs use security policies to be effective in fulfilling the requirements of their position. He discusses the balance between creating a policy that has a specific objective, and that is actually used in the organization. Matt then articulates the core elements of a well-structured policy and provides recommendations for specific policies that he deems crucial for an organization and its cybersecurity/risk management programs.

Gary provides insight into the essential components of an organization’s information security policy. He then walks the reader through a step-by-step process for creating an incident response policy and describes how an organization should use it. He concludes his discussion by providing a list of recommended policies that a CISO should build and use to address the risks facing their organization. He makes the case that through the use of these policies and resulting work practices, the CISO can enable the organization to be more resilient to the risks it faces.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  In building the organization’s information security policy, what components should the CISO consider essential?

♦  Does the organization have a formal, documented incident response policy and plan? If not, what best practices does the CISO need to consider to create them for the organization?

♦  In developing a mature cybersecurity program, what recommended policies should the CISO develop to increase his/her security program’s effectiveness?

Security Policies – Stamper

Many CISOs may feel that our titles don’t reflect what we do on a daily basis. It may seem that we are the CPO (Chief Policy Officer) of the organization and not the CISO. Our days are filled with writing, reviewing, and updating policies rather than deploying next-generation security tools, the fun stuff. Indeed, it can seem that there is no end to the number of new policies that we need to draft and disseminate within the organization. Having too many policies results in policy overload and policy fatigue among our colleagues. If we have too few, the commensurate gap in procedures and practices could lead to operational blind spots that put our organizations at risk. There has to be a reasonable balance to ensure that we address the objectives of the policies, procedures, and practices without generating security apathy among our colleagues.

Just as significant as the right balance and number of policies is how we enforce them. We should not write policies that will only be shelfware. We should operationally translate policies into documented procedures and practices – to wit, the notion of P-cubed (policy, procedure, and practice). Policies without the associated guidance on the procedures and practices are incomplete. It’s easy to say that we should employ a least-privilege methodology, we should encrypt critical data, that we should have strong passwords, and on and on. However, without specific guidance on how we achieve these end states, there is too much room for ambiguity. As I noted earlier in this book, “Declare War on Ambiguity!” Procedural guidance should indicate how to perform the practices, how to conduct and show evidence of review and approval activities, as well as the documentation and systems used to complete a given procedure.

Structure Counts: Consistent Policy Design

One reason why so many policies are ineffective is that the actual structure of the policy has never been standardized within the organization. The consequence of this is that policies are incomplete and omit critical elements required for their successful implementation, notably management authorization and employee acknowledgment. A well-structured policy should at a minimum include the following core elements:

♦  Policy ownership – In the context of a RACI matrix, a policy requires someone to be accountable for the procedures and practices needed for the policy’s compliance. Note this individual or role as the policy’s owner.

♦  Review and approval – Policies should be reviewed and approved by executive management. This authorization should be formalized and include those executives who are impacted by the policy’s scope, including the formal approval of executives beyond traditional IT roles such asthe CIO or CISO.

♦  Employee acknowledgement and sanctions – For policies to be effective, they need to be read and acknowledged by employees and, in many cases, independent contractorsand vendors. A policy should include a formal acknowledgment section where employees confirm that they have read the policy and understand that failure to comply with the policy, unless duly authorized by management (and this would be an exception), could lead to disciplinary action up to and including employee dismissal. Ideally, once employees have signed the policy, these acknowledgment forms should be kept by human resources and maintained in each employee’s HR file.

♦  Effective date – Policies should have a clearly stated effective date. This formally conveys that the policy is in force and is part of the organization’s overall governance practices.

♦  Review date – Policies should be subject to review. Ideally, policies should be subject to an annual review where there may be updates to procedures and practices, scope, or policy ownership. Language indicating that the policy may be reviewed and updated from time to time, based on changes to the organization, technology, or other changes should be incorporated to offer flexibility.

♦  Version – Policies should be version controlled. The version number should change following each annual review (or during an interim review if required).

♦  Scope – Policies should have a defined scope or boundary for their required procedures and practices. The policy’s scope will determine where applicability to needed procedures starts and ends within the organization. As a case in point, there may be a policy to require encryption of data in transit and at rest. The scope of the policy would specify which types of information should be encrypted (e.g., PIIor ePHI).

♦  Procedures and practices – Policies should reference the specific procedures and practices required to ensure that the organization is meeting the policy objectives. Proper procedural documentation leaves little space for ambiguity. Procedural documentation should also capture the system(s) of record used to carry out the activities, the types of documentation created relating to the procedure, and where this documentation is stored. Validation and verification activities should also be clearly captured and understood. There should be no doubt what’s required, who is doing the work, and how it is measured and validated.

Procedures should include a basic RACI. This should note who is:

♦  Responsible (the individuals or departments doing the actual work)

♦  Accountable (the specific role or individual that effectively owns the result of the procedure)

♦  Consulted (individuals with expertise and knowledge of a given domain that can help validate and inform procedures and practices)

♦  Informed (those departments, individuals, clients, regulators, boards, etc. that should know about the existence of a procedure and the outcomes of its activities).

 Collectively, these elements are necessary constituent parts of a well-structured policy.

Matt Stamper