The first line of cybersecurity defense within any organization is its employees. To communicate a direct and consistent message about how employees are involved in the protection of the organization, clear and concise cybersecurity-related policies and standards must be created and followed. Developing policies and standards is critical to a successful cybersecurity program but is something that very few people enjoy writing. Though we cannot make the process any more enjoyable, we can at least walk you through the steps.
The first step is to identify what needs to be protected. Referred to in the cybersecurity world as assets, they can be individual systems, entire processes, intellectual property, or even the employees and facilities of the organization. Based on the list of assets identified, a classification of importance must be assigned. This is achieved by performing a risk assessment.
A risk assessment is accomplished by rating the asset based on the confidentiality, integrity and availability of the asset. To ensure the asset is evaluated objectively, it is crucial to clearly define the different levels of importance that will be assigned. Understanding from an objective point of view how critical each asset is to the overall success of the organization will help create policy, which defines how to protect the assets. In control systems, availability and integrity of an asset could be a vital component to the safe operation of equipment. These safety concerns must be considered when performing this evaluation.
Now that a level of importance has been assigned to each asset within the organization, an understanding of threats those assets might face must be developed. Threats can come in many different forms—including hacktivists, malware, espionage or data exfiltration, but also commonly overlooked possibilities such as a disgruntled employee, natural disasters or power failures. After threats have been identified, the next step is to try to understand their likelihood. The threats most likely to occur are those that an organization should build policies and standards to protect against.
Once assets have been documented and classified, threats identified and prioritized, it is time to create the policies and standards detailing how the organization will protect against those threats. First, categorize and group the security controls logically. These like-minded security controls should be grouped together in one policy. Developed policies define what the organization wishes to achieve. Examples include specific password length/complexity or backup frequency and backup retention targets. Standards or procedure documents will be created to define exactly how the organization wishes to achieve the objectives of its policies.
It is important from an operational standpoint to keep policies and procedures separate. As technology changes, the tools and steps necessary to achieve a goal will change more frequently than the goal itself. In many organizations, changes to policy must be approved by upper management, whereas procedures or standards do not.
With these basic steps in place, you should be more prepared to develop a successful cybersecurity program within your organization.
Brandon Bohle is MIT analyst III and Alan Raveling is a senior analyst at Interstates Control Systems Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Interstates Control Systems, visit its profile on the Industrial Automation Exchange.
