Episode 195 - Annual Policy Review - Making it Worthwhile
The Southern Fried Security Podcast
Release Date: 05/11/2017
The Southern Fried Security Podcast
It's been 9 years and over 210 different content items since we started this thing in January of 2010. As much as we hate it we feel it's time to end this project and start thinking about What Comes Next. Don't worry - the episodes and website aren't going anywhere anytime soon so you'll still be able to download all the content. We're also discussing some new ideas to stay engaged with the cybersecurity community so you'll want to keep this feed live on your podcast listening device to catch updates on where we are on that. All of us would like to thank all of you for your support...
info_outlineThe Southern Fried Security Podcast
It's another Front Porch episode! Yvette talks to her friend Brandon Clark as his first novel "Ransomware" is about to be released. "Ransomware" is part of Brandon's "Killchain Chronicles" series that will be coming out over time. You can find the book here: We will be back soon with more great new content.
info_outlineThe Southern Fried Security Podcast
Episode 206 - The Front Porch…. Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security. In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting. And, for the record, the “Aristocrat” cocktail at Atlas is something you must try. I appreciate...
info_outlineThe Southern Fried Security Podcast
We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018. We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event. It was a great time and we hope to be there again next year.
info_outlineThe Southern Fried Security Podcast
Episode 204 - Evaluating Your Security Program: Communications Plan Why Evaluate Your Program Part of annual policy review If you don’t evaluate you will never improve Continual review will help protect your budget Awareness and Education is how most people in your org know the program Threat Mapping maps the outside threats to your inside controls & tech Communications is that final turn from the inside out Start At The Outside and Move Your Way In If Education & Awareness are how the employees engage the program then Communications is how the management team engage...
info_outlineThe Southern Fried Security Podcast
Show Notes Episode 203 - Evaluating Your Security Program: Threat Mapping Why Evaluate Your Program Part of annual policy review If you don’t evaluate you will never improve Continual review will help protect your budget Awareness and Education is how most people in your org know the program Threat Mapping maps the outside threats to your inside controls & tech Communications is that final turn from the inside out Start At The Outside and Move Your Way In How is this different from threat modeling? Threat modeling is listing what could happen to you. Threat mapping...
info_outlineThe Southern Fried Security Podcast
Episode 202 - Evaluating Your Security Program: Awareness & Education
info_outlineThe Southern Fried Security Podcast
We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode. We will be back in 2018 with more episodes. Until then be well and stay secure!
info_outlineThe Southern Fried Security Podcast
Episode 200 - Building A Security Strategy - Part III Recap Strategy vs Policy Understand the business of your Business Know who your stakeholders really are Capability = (Tech + Service) * Process Crawl, Walk, Run It Takes A Village The Question is “How do I make one?” Tech Tech, by itself, only consumes electricity and turns cool air into warm air So many choices…. The tech selection is the *least* critical one for developing a capability This is the “Stuff You Have To Do” Usually determined by regulation, policy, or corporate edict Describes a desired outcome - not...
info_outlineThe Southern Fried Security Podcast
Episode 199 - Building A Security Strategy - Part II Recap Strategy vs Policy Understand the business of your Business Know who your stakeholders really are Capability = (Tech + Service) * Process Crawl, Walk, Run It Takes A Village The Question is “How do I make one?” Almost no business is in the business of information security Follow The Money Understand The Decisioning Process “Culture Eats Strategy For Breakfast” Vocabulary Matters Understand the Business of Your Business Know the Formal and Informal Org Charts Influencers are as important as Deciders Beware the Spoiler...
info_outlineEpisode 195 - Annual Policy Review - Making It Worthwhile
- Define policy vs. standards vs. procedures
-
- What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
- Example: Policy statement = Users must authenticate with a unique ID and password
- Standard: User passwords must be: # of characters, include one uppercase letter, one special character, be at least 10 characters in length. This type of information would go into an Access Control Standard.
- What is a Standard? Standards support the policy, make it more meaningful and effective.
- What is a Procedure? A procedure is a step by step, how to guide to which is consistent with the end result being the same. These are the steps for configuring your firewalls, setting up a new user, building a server, etc.
- Every policy guide everywhere says you need to review your policies regularly which almost always means annually.
- Failure to do the annual review can get you in hot water with your regulator and/or auditor.
- It just Makes Sense.
- What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
- Why review your policies?
- It’s the one time a year you can nudge the organization where it needs to go
-
- Past Problems
- Current Issues
- Future Challenges
- Killing off/modifying policies that get in the way of people doing work will Make Friends And Influence People
- There is no better way to ensure your team is working on what needs to be worked on than aligning with stated policy.
- Making Sense of Policy Review
- Alert The Approvers
- Line Them Up
- Divide and Conquer
- Bring The Business Into The Process
- Internal Audit
- Legal
- Risk
- Corporate Security
- IT
- Marketing / Public Relations
- As Needed Bring In
- Change Crosswalks FTW
- Communicate, Communicate, Communicate.
- The Review Process
- Have a process to deal with questions. Route questions to the authoritative source for an answer - don’t answer stuff you can’t/shouldn’t
- Questions?
- Resources?
More Notes
- Make sure what is being added is enforceable. This is a legal document and can be used in court. Statements support what is being done today, not what you would like to do or wish the program would do in the future.
- Go back to those “parking lot” statements that were not added or removed from a draft because you couldn’t enforce them at the time. Can they be added? Don’t lose sight of them if they are important to your security program
- Does the corporate culture / C levels support statements in the policy? As a security practitioner you may firmly believe that your security program must abide by certain policy statements but the corporate culture or your CEO/CFO even CISO may not support it. They may become “parking lot” items for a future version or you may be able to successfully display that the program can support that statement without affecting the culture.
- Legal is an important reviewer. It feels nitpicky during the review but Legal knows when “should” and “must” are appropriate.
- Don’t reinvent the wheel. ISO 27001 is a good framework for your policy. Use it. Don’t try to come up with statements because you think you have to appear to be an Info Sec Policy God. KISS!
- Don’t write standards and procedures in your policy! We’ve reviewed countless policies that had what we’d consider a standard or “step by step instructions for making firewall changes. That’s a procedure! Keep it out of your policy.