Which first? The Policy or Procedure? A Cyber Framework Conundrum.
A recent, and very new direction in my career, has seen me enter the universe that is Cyber Security Frameworks – by being tasked with laying the groundwork for adopting a cyber framework. Having come from 20 years of technical support and system administration, the operational side of security was familiar, however merging formal procedure and policy to day-to-day process was a brave new world for me.
I started with NIST Cybersecurity Framework (CSF) as it made sense to me. The common language approach felt right, and its emphasis on continuous improvement – I could gel with, however simply slotting your existing business procedures into the requirements of NIST is not for the faint-hearted and I needed help – which led me to Centre for Internet Security (CIS) Controls.
For those who do not know, CIS Controls provide a robust framework for beefing your security posture. A granular set of operational checks that are grounded in real-world threats and provide actionable guidance. Again, a common language operational approach that maps beautifully to the requirements of NIST CSF (and many other frameworks too). It all made operational sense, and all was good in the world – until it came to creating policy….
Frameworks require policy and process. How do you create operational policy and process that will be good enough to satisfy the requirements of auditors or a framework, and in a live environment? How do you start down the road of building compliant operational policies and processes? Do you start by mapping existing procedures to compliant controls? What happens if existing procedures do not fully map? How do you create compliance from that?
Do you approach your IT teams with a list of things you need done differently and try to mould them into a shape they might not be able to fit in to? What happens if that cannot be achieved due to resourcing or tooling etc? Do you just chuck all the bits you cannot comply with into a risk-bin and walk away?
There is not a one-size-fits-all answer to this, but the best advice I could give is – in small steps. Bite-sized continuous operational improvement, steered towards your framework compliance. Understand how your IT operations work. Know where you currently are, where you would like to be, and where you need to be, and don’t be afraid to aim at the unattainable. Halfway to unattainable will be better than where you were to start with.
Creating policy and mapping procedure is challenging, and I found it the most challenging part of my journey, but thankfully – if you know where to look, there is a lot of resource out there to help. I studied many pre-existing templates created by organisations like SANS Institute, CIS, FRSecure to name a few, and I will soon be publishing my own resource for supporting the creating of policy for frameworks.