We Need To Talk: 52 Weeks To Better Cyber-Security

WEEK TWO

Best Practices Frameworks

QUESTIONS:

How are we doing with respect to best practices? Are there any areas where we need to focus more attention? Are there any areas that we should avoid? What best practice frameworks are we using across information security? How do we keep up with updates and changes? What kind of cross-training are we doing on frameworks?

Support Materials:

Information Security professionals often use best practice frameworks to help them understand how to implement various technologies and processes that will improve the overall effectiveness of their information security program. These frameworks provide a common language for discussing topics such as threat modeling, vulnerability management, access control, identity management, encryption, etc. They are also very effective at helping people who may need formal training in these areas to learn about them.

WEEK THREE

Security Policy

QUESTIONS:

Is there an official security policy document defining the organization's information security approach? Are those policies reviewed regularly? Has the organization ever been audited by a third party? If so, who did the audit, and what were their findings? Was anything changed as a result of the audit? Who on the team is responsible for writing and/or revising the policy documents? How are feedback and lessons learned throughout the enterprise woven into those updates? How are changes to our policies socialized across the company?

Support Materials:

Establishing, socializing, and keeping policies up to date are critical information security functions. Security policy documentation is crucial for many reasons. First, it provides a record of how you want your organization's information technology (IT) infrastructure to operate. Second, it helps IT staff understand the requirements that the various components of the IT infrastructure must meet. Third, it serves as a reminder of the security standards that must be followed at all times. Finally, it ensures that everyone understands the rules and regulations governing the use of the IT infrastructure.

WEEK FOUR

Relationships With Other Groups

QUESTIONS:

How are we working with other groups within the organization? Are there any areas where we need to collaborate more closely? Are there any areas that we should avoid collaborating with? Why? Are there any relationships that need to be clearly defined? Could those be clarified? Are there any areas where we need to clarify who owns what responsibilities?

Support Materials:

Relationships between different groups within an organization are critical to the success of information security programs. These relationships exist between IT and Security, Operations and Information Security, and even between the various departments within an organization. To effectively manage risks, it is necessary to understand how these relationships work together. For example, who will respond first if a server has a problem? Who has the authority to make decisions about the response? How does this impact the relationship between the two groups? Understanding these issues helps you build better relationships with your peers. Better relationships mean a more effective information security