Tailoring Cybersecurity Policy Frameworks

A cybersecurity policy framework provides a general structure for organizing policy statements into a complete and coherent policy structure. Cybersecurity policies are not a one-size-fits-all documents, neither are the cybersecurity policy frameworks. In an author's effort to address all business needs, cybersecurity policy frameworks will often be tailored for the specific organization it serves.

Customer and Business Requirements

The organization may have several unique business requirements that drive the development of additional information security controls or even additional information security policies thus affecting the base framework. It is important to start with the framework but to be flexible enough to accommodate business needs when developing a platform upon which to build policies for an organization. For example, a pharmaceutical company may recognize extreme asset values in a building within which they work on new products. With these extreme asset values comes additional risks such as industrial espionage and a need for the implementation of additional physical security controls not present in other organizations. In the case that these controls are unique to some environments (e.g., data centers, research and development facilities) there may be a need to have an additional physical security controls policy for very sensitive areas.

Importance of Completeness

Even the most frequently cited or used information security frameworks have notable gaps in terms of information security controls. For example, the FISMA framework (based on NIST SP 800-53 controls) is not very specific when it comes to measurable elements of a security program (e.g., testing, validation, and assessment specifics). On the other hand the ISO 27001 framework does not provide many specific requirements in the area of network security (e.g., firewall architecture and settings, wireless access point isolation, secure DNS). In both cases, the standard is used as a general framework and the organization should review their own security needs to tailor the framework as needed to suit their business needs (e.g., expand the framework to include additional policies, topics, requirements, or specific values.

Adding and Mapping Regulations

Organizations will also need to tailor the information security policy framework for their own use according to the need to accommodate and map information security regulations, standards, and requirements. These policy additions stem from customer requests, industry regulations, and other business driven requirements. For each of the required information security requirement documents (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC/CIP)), the organization should a) ensure all requirements are documented in the standard policy set and b) create a crosswalk that supports compliance reviews.

• Ensure All Requirements are Documented – There must be an accounting for each and every requirement in an information security regulation or standard that the organization seeks to implement. In many cases the information security framework will already have a populated information security control that meets the document requirement. For example, PCI DSS requires basic security awareness training and this requirement is already accounted for in the FISMA framework. In other cases an information security control required in a regulation or standard may be currently populated in the framework. For example, PCI DSS requires that vulnerability scans be performed by a qualified vulnerability scanning vendor who is free from conflict of interest. Such a requirement does? not exist in the FISMA framework but it can be easily added under the vulnerability scanning section of the FISMA framework as an addition.
• Compliance Crosswalk – While developing and revising the information security policy framework it may help to track the regulation or standard requirements and where they are addressed in the tailored framework and resulting set of policies. There are several approaches to tracking this mapping such as adding references to the original standards at the end of each policy statement or creating a crosswalk matrix based on the regulation that maps each regulation statement to a specific policy statement. The creation of a compliance crosswalk may be tedious work but in order to ensure the completeness of the policy set it must be performed. As a side benefit, once completed, the compliance crosswalks support compliance reviews of the specific standard or regulation.

For assistance with cybersecurity policy development projects - Contact me [email protected].