A Cyber Framework Conundrum
A recent, and very new direction in my career, has seen me enter the
universe that is Cyber Security Frameworks – by being tasked with laying the
groundwork for adopting a cyber framework. Having come from 20 years of
technical support and system administration, the operational side of security
was familiar, however merging formal procedure and policy to day-to-day process
was a brave new world for me.
I started with NIST Cybersecurity Framework (CSF)
as it made sense to me. The common language approach felt right, and its
emphasis on continuous improvement – I could gel with, however simply slotting
your existing business procedures into the requirements of NIST is not for the
faint-hearted and I needed help – which led me to Centre for Internet
Security (CIS) Controls.
For those who do not know, CIS Controls provide a robust
framework for beefing your security posture. A granular set of operational
checks that are grounded in real-world threats and provide actionable guidance.
Again, a common language operational approach that maps beautifully to the
requirements of NIST CSF (and many other frameworks too). It all made
operational sense, and all was good in the world – until it came to creating
policy….
Frameworks require policy and process. How do you create
operational policy and process that will be good enough to satisfy the
requirements of auditors or a framework, and in a live environment? How do you
start down the road of building compliant operational policies and processes?
Do you start by mapping existing procedures to compliant controls? What happens
if existing procedures do not fully map? How do you create compliance from
that?
Do you approach your IT teams with a list of things you need
done differently and try to mould them into a shape they might not be able to
fit in to? What happens if that cannot be achieved due to resourcing or tooling
etc? Do you just chuck all the bits you cannot comply with into a risk-bin and
walk away?
There is not a one-size-fits-all answer to this, but the best
advice I could give is – in small steps. Bite-sized continuous operational
improvement, steered towards your framework compliance. Understand how your IT
operations work. Know where you currently are, where you would like to be, and
where you need to be, and don’t be afraid to aim at the unattainable. Halfway
to unattainable will be better than where you were to start with.
Creating policy and mapping procedure is challenging, and I
found it the most challenging part of my journey, but thankfully – if you know
where to look, there is a lot of resource out there to help. I studied many
pre-existing templates created by organisations like SANS Institute,
CIS, FRSecure to name a few, and I will soon
be publishing my own resource for supporting the creating of policy for
frameworks.
Jason Voice
About me: 20+ years front line technical support, SysAdmin
and leadership at top-tier technology firms, and a recent transition in to
cyber security incident response and cyber governance / regulatory compliance
(NIST CSF / CIS).
Feel free to message me.