Security awareness

Time to update your cybersecurity policy?

September 15, 2020 by Patrick Mallory

Introduction

In today’s highly connected world, new cyberthreats and risks emerge seemingly every hour, around the clock. Whether it is from spearphishing, a distributed denial-of-service attack or a targeted piece of malware, connecting your organization’s systems and workstations to the internet always opens up the possibility of a cyberattack. 

Unfortunately, cybercrime is becoming a very rewarding business for hackers, which means cyber risk should be the focus of every organization, public and private. If they don’t, failure means the loss of money, brand reputation, trust and customer, employee or proprietary data if not all of the above. Based on a February 2018 report from the White House Council of Economic Advisors, the United States economy lost between $57 billion and $109 billion due to cyberattacks in 2016 alone. 

While nothing can fully prevent an organization from falling victim to a cyberattack, a strong cybersecurity governance model composed of policies that outline system-use and enterprise standards, expectations and rules can help to dramatically mitigate the risk of one occurring and wreaking havoc across your network. 

However, just as the cyber threat constantly evolves, so too should the policies that make up the foundation of your cybersecurity program. But when is the right time to update your policies and who should be involved in that process? This article will lay out the role that cybersecurity policies play in your security program, summarize industry best practices on when policies should be reviewed and identify key organizational roles and responsibilities that should be involved in maintaining their relevance.

The role of cybersecurity policies

Cybersecurity policies outline the rules for how your organization’s workforce, third parties, partners, customers and other end users can use and access your information technology resources and the data that is stored in and transverses your network and systems. Cybersecurity policies typically follow a hierarchical structure where there is an overarching policy that describes general security expectations, identifies key roles and responsibilities in the organization, internal and external stakeholders, the governance process, the key assets to be protected and high-level security control expectations. 

Unfortunately, once an organization establishes their cybersecurity policies, many leaders tend to act as if these documents and procedures are set in stone, inflexible and do not need to be changed. But in such a dynamic cyberthreat environment, this mindset is not only flawed but also dangerous. Establishing and enforcing effective policies and procedures to not just sit on a shelf; security policies should be thought of as living documents that evolve, adapt and evolve with a company, their customers, security best practices and their market.

When to review your cybersecurity policies

So outdated cybersecurity policies can leave your organization at risk, leave your organization out of compliance with new laws and regulations, create inconsistencies between best practices and actual operations, and leave your IT systems and technology vulnerable. How and when should your organization update their policies? 

In some cases, regular cybersecurity policy reviews are mandated by industry and government compliance standards, such as in public safety, banking, education and healthcare. But organizations should not just wait for an external deadline or mandate or, even worse, for an incident to occur before they review and update their cyber policies. 

Regular policy reviews and revisions should be a regular part of any cybersecurity program. Here are five signals your organization should watch for to trigger an evaluation of how your policies fit your cyberthreat environment.

As part of regular governance evaluation

The most widely recommended trigger to initiate a review of cybersecurity policy is through the establishment of a regular schedule built into your security policy’s overarching governance document. Whether it is each quarter or annually, proactively completing a policy and procedure review needs to be built into your corporate calendar.

Fortunately, policy review does not have to be a daunting or cumbersome task. Many organizations utilize policy management software or even existing document collaboration software to set up alerts and workflows, conduct review, capture feedback and sign-off and handle version control. Whatever the methods, timeline and frequency, the important component is making cybersecurity policy evaluation a regular part of your business.

Responding to regulatory requirements

State, federal and international laws and regulations change constantly. It is imperative that security and compliance teams are aware of this and account for the changes that could affect their organization’s cybersecurity platform.

Any time there is a regulatory change, your organization may need to convenience a policy review to understand the impact of that change, identify what needs to be altered or added, how long those changes could take to implement and any other resource or downstream business implications there could be. 

Your organization should not wait for an audit or the date that the new regulatory standard becomes active to initiate this sort of policy review. Instead, investigating the impact of the change and adapting your policies can help to adjust your business and security controls to the new regulation and support a smoother transition for your workforce when the new law takes effect.

For example, organizations that fall under Payment Card Industry (PCI) compliance standards have to conduct annual data security policy compliance reviews. However, there have been nine revisions of the PCI Data Security Standards in the fourteen years that the compliance model has been in place, and the organization needs to be up to date on the current standards.

The introduction of the General Data Protection Regulation, as well as regular updates in HIPAA and education privacy laws, are other solid examples of why it is important to constantly evaluate how your current cybersecurity policies could be impacted by external forces. 

Updates in organizational structure

Another key time to conduct a review of your cybersecurity policies is when there is a notable change to your organization. While level and scale of change can vary by organization, it is recommended to conduct a review of your cybersecurity policies when any of the following occur:

  • New branches or offices are opened
  • New enterprise applications, network devices or services are added or updated
  • New products or services are added, especially in cloud-based industries
  • Systems are retired or decommissioned
  • Changes are made in when or how employees work, such as offering a “bring your own device” mobile phone or computer policy, core work hours are changed or when employees are offered the ability to work remotely
  • Services or operations are outsourced

While this list is not exhaustive, changes like these are a great time to ensure that your policies continue to align with your company’s mission, vision, values, IT infrastructure, systems and cyber risk tolerance. The common thread should be that your cybersecurity policies and procedures line up with the current systems and infrastructure in place; policies should not reference old technology or procedures that are no longer relevant or the best practice. Only current systems, security controls and best practices should be reflected so the new expectations for all employees are made clear.

Responding to a threat or incident

No organization should wait until an incident occurs to review their cybersecurity policies, but sometimes an incident or policy violation within your organization or in that of a peer can indicate the need for a change. In other cases, it can be the result of an external or internal penetration test or a risk metric threshold having been met or exceeded.

Immediately after the actual damage of an incident is contained and operations are recovered or the vulnerability is remediated, security and management teams should conduct a debrief to document what occurred, lessons learned and how existing policies either had the intended effects or fell short. This could include interviewing staff and examining system and security tool logs to capture the details of an incident to see if controls and procedures were carried out properly. From there, changes in security policies and procedures can be made; if necessary, employee training can be updated to enhance understanding of any policies. 

However, not every security policy violation should result in dramatic policy changes. If a security event is isolated and existing controls are still deemed sufficient, then no changes have to be made. In other situations, especially if incidents are recurring or if there are many incidents occurring in the same system or location, the issue may be that a policy or standard is outdated, confusing or requires increased training.

Issues with employee compliance and adoption

Another metric or signal that organizations can use as a trigger to review cybersecurity policies is when there are issues with employee compliance with established policies and procedures. However, it should not take a high-profile breach to do an evaluation of how well employees are doing with compliance. Even further, as with security incidents, a policy doesn’t need to change every time there is an issue with employee compliance; instead, organizations may need to focus on training and education. 

Whether it is through informal feedback, audits by security professionals, review of help desk or error logs or through formal surveys, use some of these questions as prompts to help evaluate how well employees are complying with security policies: 

  • Are the procedures difficult to follow? 
  • Have new technology or processes been introduced that existing policies don’t address? 
  • Is current employee cybersecurity awareness training adequate?
  • Do employees and managers have any suggestions on how to improve policies or the adoption of security practices? 
  • Are cybersecurity policy objectives, goals and standards clear?

In some cases, underlying policy standards may need to be adjusted to more accurately represent an organization’s current IT environment or best practices; in others, language may need to be refined or training updated in order to assist with employee compliance. In either case, engaging with end users that are the front line of an organization’s cybersecurity defenses should be an ongoing practice.

Updating the policies: Roles and responsibilities

So far we have touched on end users, security professionals and the management team and their involvement in writing, implementing, evaluating and updating cybersecurity policies. That is because cyber risk — and attempting to mitigate it — should be an imperative for everyone within an organization, from the boardroom to the newest employee. However, the ultimate responsibility for overseeing cyber risk, as with any other key decision and resource allocation, lies with an organization’s senior management. 

In this case, within the IT department, this responsibility is with the Chief Information Security Officer (CISO) or Chief Information Officer (CIO). As part of the security review and maintenance process, other stakeholders should contribute, depending on their function, experience and roles within the organization. Those involved could include:

  • Policy owner
  • System owners 
  • Executive managers 
  • Business process owners
  • Legal counsel
  • Human resources/training staff 

Exactly who will make up a policy writing team will be different based on the organization and the policy in question. 

The scale of the change to the policy itself can also vary. If it is a small change, it can be as simple as recommending a change to specific language or phrasing within a policy. In other cases, as with updates to regulations or laws, the policy change management process may be more involved and could include legal counsel and support from human resources staff to assist in communicating to and educating end users on policy implementation. 

Bringing it all together

Cybersecurity policies should be living documents that grow and evolve with your organization. Without them, systems can go unpatched, end users can make mistakes that could have been prevented and corporate and customer data can be at risk for a breach. 

Further, a hands-off approach can leave organizations facing regulatory fines, paying legal fees or settlements and watching as they lose public trust and their brand is tarnished. In other words, it is hard to overstate just how important it is to review cybersecurity policies and procedures and create a process to do so on a regular schedule as well as if any of the triggers outlined above occur. If done correctly and proactively, your cybersecurity policies can help to minimize risks, increase adoption and make sure employees have the tools and guidance to do their jobs safely.

 

Sources

  1. An Introduction to PCI DSS, Cryptomathic
  2. Securing the future of payments together, PCI Security Standards Council
  3. The Cost of Malicious Cyber Activity to the U.S. Economy, The Council of Economic Advisors
Posted: September 15, 2020
Articles Author
Patrick Mallory
View Profile

Patrick’s background includes Strategy and Cyber Risk Services consulting experience with Deloitte Consulting with both States and large Federal transportation and security agencies. He also served 3 years as a Deputy CIO for the City of Raleigh, where he assisted with the implementation of security policies, tools, and employee education initiatives as well as PCI, CJIS, and HIPAA compliance. He currently supports the IT infrastructure for the U.S. State Department.

Patrick also holds CISSP, CISM, and Security+ certifications as well as a PMP. He holds an MS in Information Technology – Cybersecurity and MS Public Policy from Carnegie Mellon University, where he assisted with graduate level teaching in the information security program.