In our final chapter, we will review one of the core topics that all security and risk mitigation operations revolve around and that is the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain how a program will execute specific processes, who has the responsibility, and the resources required for mature operations. For many organizations, not having the correct policies can significantly impact their ability to defend itself against cyber criminals and degrade their ability to recover from a cyber incident. It is the responsibility of the CISO and executive management to have the correct policies in place, follow the policies, and periodically update them as the business/technology environment changes.
In this chapter, our authors will provide their insight into the recommended policies an organization should have in its portfolio and will describe in detail the components of a corporate information security policy. Our authors approach this subject from different viewpoints, but it should be noted that their wealth of experience on this subject demonstrates the importance of the CISO understanding this process and accepting it as one of their core responsibilities.
Bill Bonney provides his viewpoint that information security policies are foundational to an organization. He discusses the relationship between policy, standards, guidelines, and procedures. Throughout, he notes how important it is to maintain the connection between business objectives and the organization’s policies. Finally, Bill asserts that “policy has a purpose,” that it is written for action, and proceeds to elaborate on the principles and steps for establishing an effective cybersecurity policy.
Matt Stamper states that CISOs use security policies to be effective in fulfilling the requirements of their position. He discusses the balance between creating a policy that has a specific objective and that is actually used in the organization. Matt then articulates the core elements of a well-structured policy and provides recommendations for specific policies that he deems crucial for an organization and its cybersecurity/risk management programs.
Gary Hayslip provides insight into the essential components of an organization’s information security policy. He then walks the reader through a step-by-step process for creating an incident response policy and describes how it should be used by an organization. He concludes his discussion by providing a list of recommended policies that a CISO should create and use to address the risks facing their organization. He makes the case that through the use of these policies and resulting work practices, the CISO can enable the organization to be more resilient to the risks it faces.
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.