Today's Topics - Imec

Transcription

10/29/2020Cybersecurity Resiliency for Defense Contractors Webinar Series:Cybersecurity Compliance – Real Company ExamplesOctober 29, 2020Jana White1Today’s Topics How to write policies and procedures – andhow are they different? What to do and what not to do when workingtowards compliance Examples from manufacturers of what works –and what does not21

10/29/2020Service-Disabled Veteran OwnedSmall Business (SDVOSB)Areas of Focus:Cybersecurity TrainingPenetration TestingVulnerability AssessmentsCISO-as-a-ServiceCybersecurity StrategyDFARS 252.204-7012 & CMMCBased in Greater St. Louis Area3What are policies and procedures –and how are they different?Policies are guidelines or rules that cover what an organizationexpects from employees, and why. Policies cover any laws orregulations that apply to your organization and try to ensurecompliance with those requirements. Effective policies set the tonefor a healthy work culture.Procedures provide step-by-step instructions for specific routinetasks, and to explain how things are done. They may include achecklist or process steps for your employees to follow. Effectiveprocedures ensure that employees know what to do and keep yourorganization running smoothly.42

10/29/2020How to write policies– The Do List Use clear, concise, and simple languageExplain the rule, not how to implement the rule (what)Always make it easily accessible to staffCite applicable rules, regulations, or laws and the penalties fornon-compliance (why)Review at least annually! (document review details)5How to write policies– The Don’t List Avoid mixing procedures with policies.Unless a law changes and organization’spolicy should not require a lot of changespolicies (procedures can changefrequently)Don’t use individual’s names in the policy,unless you must list out a currentteam/group like CIRT (Use position titlesinstead)Don’t forget to state in each policy thatviolations of the policy (compliance is notoptional)63

10/29/2020How to write procedures – The Do List Use clear, concise, and simple languageAddress how to implement policiesAlways take user experience into account (never makeassumptions)Include all steps, from start to finishMake sure that everyone who does a specific task has access tothe procedures for that taskReview at least annually! (document review details)7How to write procedures –The Don’t List Don’t be unnecessarily restrictive orcomplicatedDon’t skip stepsDon’t forget to determine who isresponsible for reviewing, approving, andimplementing the procedure (responsiblefor updates too!)Procedures constantly evolve over time,don’t forget to document and trackversion changes!84

10/29/2020Common policy examples Acceptable Use PolicyClean Desk PolicyEmail PolicyPassword Protection PolicySocial Engineering/SecurityAwareness Policy9NIST 800-171 policies you need Access control policyAuditing, monitoring, logging, & reporting policyConfiguration management policyIdentification and authentication policyIncident response policyMedia protection and disposal policyPersonnel security policyPhysical security policySecurity awareness training policySystem and communications protection policySystem and information integrity policySystem maintenance policyRisk management policy Security assessment and authorization policy105

10/29/2020Common procedure examples Business Continuity Plan (BCP)Disaster Recovery Plan (DRP)Incident Response Plan (IRP)Standard Operating Procedures (SOP)11Workflow diagram example126

10/29/2020IRP playbook page example13NIST 800-171 procedures you need Access control proceduresAuditing, monitoring, logging, & reporting proceduresConfiguration management proceduresIdentification and authentication proceduresIncident response procedures (IRP)Media protection and disposal proceduresPersonnel security proceduresPhysical security proceduresSecurity awareness training proceduresSystem and communications protection proceduresSystem and information integrity proceduresSystem maintenance proceduresRisk management procedures Security assessment and authorization procedures147

10/29/2020Compliance 101The term compliance describes the ability to actaccording to an order, set of rules, or request. Business compliance operates at two levels:– Level 1 - compliance with the external rules that are imposed upon anorganization as a whole– Level 2 - compliance with internal systems of control that are imposed toachieve compliance with the externally imposed rules15Compliance vs. SecurityComplianceCompliance meansensuring an organizationmeets the minimumrequirements of thepolicies, regulations, andlaws that apply to thatorganizationSecuritySecurity is a clear set oftechnical systems, tools,and processes put in placeto protect and defend theinformation, personnel, andtechnology assets of anorganization168

10/29/2020Why companies should have GRCGRC (governance, risk, and compliance)— is an umbrella term for the processesand practices that organizationsimplement to meet business objectives– Helps with monitoring andmitigating risks– Helps track regulatory changesand verifies compliance– Aligns policies and processes toorganizational goals17GRC resource example - TiGRIS189

10/29/2020What to do and what not to do whenworking towards compliance Start with a plan, and then getstarted!Communicate the plan and theprogress oftenFocus on continuous improvementSet goals and milestonesEnforce accountabilityDon’t forget to explain the “why”Don’t forget to double check (ortriple check) your work19Make a checklist – Keep it updated!Use a checklist to keep track oftasks that need to be done, policiesand procedures that need to bewritten, and any processes thatneed to be developed– Use a GANTT style chart withmilestones to stay on track– Don’t forget about trainingpersonnel on new policies,procedures, and practices!2010

10/29/2020Have a change management process Define the changeSelect the change management teamIdentify management sponsorship and securecommitmentDevelop implementation plan including metricsImplement the change—in stages, if possibleCollect and analyze dataQuantify gaps and understand resistanceModify the plan as needed and loop back to theimplementation step21Make policies accessible to everyoneYour employees should not have to go through dangers untold andhardships unnumbered just to find your policies.2211

10/29/2020Provide training for procedures Focus on both the how and the why within the proceduresExplain expectations from a high level, gradually moving to apersonal level for the greatest contextDon't rush the learning process, check often for understandingIncorporate hands-on learning as soon as possibleDevelop a training plan and regularly review to identify areas forimprovement23Check often for understanding Don’t assume employees have reador understood your policies, even ifthey sign off on it!The writer’s intention and thereader’s interpretation of a policymay be differentEnsure knowledge is current forexisting and/or updated policiesHave employees show you where aspecific policy is located. If theycannot, your policies are notaccessible enough2412

10/29/2020Enforce compliance25Examples from manufacturers of whatworks – and what does notWhat worksWhat does not work Plan to execute, thenexecute the plan Be prepared forchallenges Focus on the end goal Have accountabilitybuddies (battle buddy) Delegate and forget Waiting until the deadlineis on top of you Ad hoc implementation Lack of support structurefrom management2613

10/29/2020Divide and conquer Divide policy and procedurewriting tasks among yourteam– Use areas of expertise orresponsibility– Peer review draft work Check in on progressfrequently– Load balance as needed– Recognize team efforts27Keep it on the radar Build a timeline, alwayskeep the end date in sight Set up weekly or bi-weeklyprogress updates withentire team Have a project managerreview POAM weekly Address obstacles orchallenges quickly, don’tlet it throw off your groove!2814

10/29/2020It’s ok to be a tortoise! Slow andsteady progress wins Use your POAM (Plan of Actions and Milestones)Complete one task dailyHave weekly goals/milestonesAsk for help if you need itFocus on the finish line, adjust course as needed to ensure youstay on track29Real examples of success with DFARSRECENT PROJECT IN PARTNERSHIP WITH IMEC Rockford area manufacturer Company has been in business since 1990 Proudly supports a global customer base, includingmore than 60 airlines Integral part of the DoD supply chain Needed to determine current DFARS NIST 800-171compliance3015

10/29/2020Management support is critical The President took an active role in theproject from the very beginning Attended team interviews and weeklymeetings Reviewed and advised on documentationcreated by his team Continues to support the DFARS 800-171compliance initiative with goal to fullyimplement all 110 controls by end of year31Commitment and teamwork equals success Covid-19 hit U.S. right afterthe project kicked offClient had to rapidly pivot,there were some challengesto overcomeNever lost sight of the endgoal, continued to shrink theirCUI information system to avery manageable sizeHad tremendous supportfrom IMEC3216

10/29/2020Keep your eye on the prize Compliance is a big advantage over competitors Becoming compliant strengthens the entire U.S.DoD supply chain The costs of compliance are less than the cost of abreach Security builds brand loyalty, inside and out!33Other Helpful Resources (Freebies!) Security Policy Templates https://www.sans.org/information-security-policy/ Policy and/or Framework Templates https://flank.org/ Incident Response Playbooks https://www.incidentresponse.com/playbooks/3417

10/29/2020What We Covered Today How to write policies and procedures – andhow are they different? What to do and what not to do when workingtowards compliance Examples from manufacturers of what works –and what does not35Jana ty.cominfo@alpinesecurity.com(844) 925-74633618

Configuration management policy Identification and authentication policy Incident response policy Media protection and disposal policy . Have a project manager review POAM weekly Address obstacles or challenges quickly, don't let it throw off your groove! 27 28. 10/29/2020 15 It's ok to be a tortoise! Slow and