Developing Cybersecurity Programs and Policies Summary

Objectives

  • Create standard operating procedures (SOPs)

  • Implement change control processes

  • Understand patch management significance

  • Protect systems against malware

  • Consider data backup and replication strategies

  • Recognize email security requirements

  • Value log data and analysis

  • Evaluate service provider relationships

  • Importance of threat intelligence and information sharing

  • Write operational and communications security policies

Standard Operating Procedures (SOPs)

  • SOPs improve communication, reduce training time, and enhance consistency.

  • Documentation is essential to safeguard against loss of institutional knowledge.

Authorization and Protection

  • Procedures must be authorized by the process owner.

  • Integrity of SOP documents must be safeguarded against tampering.

Writing Guidelines for SOPs

  • Use simple language.

  • Include all steps without excessive detail.

  • Ensure clarity in instructions.

Presentation Format Guidelines

  • Fewer than 10 steps: step format.

  • 10 or more steps, few decisions: graphical or hierarchical format.

  • Many decisions: flowchart format.

Operational Change Control

  • Change control regulates authorized changes to systems and processes.

  • The process starts with a Request for Change (RFC), which includes justification and impact analysis.

Patch Management

  • Patches fix security vulnerabilities and must be applied swiftly.

  • Patch management involves scheduling, testing, and applying updates.

Malware Overview

  • Malware disrupts operations, gathers sensitive data, or provides unauthorized access.

  • It requires user interaction and includes various types.

Malware Control

  • Implement defense-in-depth: prevention, detection, response controls and security awareness.

  • Antivirus software uses signature-based and behavior-based detection methods.

Data Replication and Backup

  • Data replication: copying data for immediate use (RTO & RPO considered).

  • Backup: storing data for restoration; critical for integrity and availability.

Backup Design Considerations

  • Focus on reliability, speed, simplicity, ease of use, and security.

Email Security Risks

  • Email lacks encryption, exposing sensitive data.

  • Email can carry malware through attachments or links.

Protection Practices for Email

  • Educate employees on risks, implement encryption, and restrict personal email access.

Log Analysis and Activity Monitoring

  • Log management involves configuration, analysis, and response to events.

  • Techniques include correlation, sequencing, signature comparison, and trend analysis.

Service Provider Oversight

  • Service provider security controls should meet or exceed those of the contracting organization.

  • Due diligence assessed using SSAE18 audit reports.