Question

Cyber Security Control Frameworks are created to provide guidance in developing security policies and procedures. State the control frameworks and give two examples of how this control is applicable in developing security policies and procedures?

Answer 1

Control Framework:

A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.

Example of Control Framework:

1. COBIT (Control Objectives for Information Technology)

COBIT is a widely utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.

2. COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provides a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate. The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.

Developing Security Policies & Procedures:

An IT Security Policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources.

Policy is what defines and authorizes the control framework that an organization will deploy. The vast majority of organizations fail to affect a useful policy framework for a number of reasons. Following the SMART principle is the best way to ensure that the policy framework can achieve the goals of the organization.

The technique for applying the concept of in-depth defense to information systems security within an organization includes the following stages

1. Determine assets and security objectives or the organization,

2. Specify the organization and overall architecture and stance,

3. Develop the policy, procedures, and standards,

4. Implement and test the control systems, and

5. Continuously and periodically evaluate the controls that have been implemented with an eye to improvement.

Example:

How to develop Security policy and procedures:

Here are some ways to develop a strong security policy for your company.

1. Start by creating broad policies

Developing a security policy from scratch can be an overwhelming task. The many areas that need to be addressed can be daunting, and you can easily get carried away with the small details instead of focusing on the bigger picture.

The best way to make a start is to create broad policies that cover all major areas of your business.

2. Should be written

This goes without saying: your security policy should be written and serve as a guideline for every member of your company. No matter how simple its form, ensure that you document all policies, and ensure that your security policy is understandable – or you’d be defeating its purpose. Remember policies are a journey rather than a destination. So you’ll have to keep developing them as you go along.

Most companies try to develop their security policies in-house, I strongly advise taking the help of a qualified and competent professional. As entrepreneurs, we can’t do everything ourselves.

A white-collar crime attorney might add great value to your security policy by including policies that could prevent employees from committing crimes where you might be held liable.

3. Start with a standard policies format

To make things easier for you in the beginning, draft policies using a standard format. It might not make sense to reinvent the wheel. There are several standard organizational policy templates that are available online.

4. Get employees involved

Eventually, security policies need to be followed, and for that, you need the support of your employees. So let them take ownership of these policies. They also give you feedback on the realities on the ground.

5. Stay updated

Your security policy should be a living document that is updated frequently because situations change often. As your company grows, certain things might become irrelevant while there are other things that might become more relevant. So ensure that your security policy is constantly updated and there is no room for any breach.

6. Train your employees on it

Having a policy is not enough, the most difficult part is to ensure that it is implemented. Employees should understand their role in preventing security breaches, and know what to do when there is a breach.