16.1 Policy Documents

Type Definition Policy High level requirements for an overall security program. Compliance is mandatory. Standard Provides detailed requirements for implementing a cybersecuriy program and policy. Guideline Best practice on achieving a security goal(s). Compliance is not mandatory. Procedure Outlines a step-by-step process for carrying out an operation.


16.2 Using a Cybersecurity Framework

In this excercise, I will review a subcategory of the NIST Framework for Improving Critical Infrastructure Cybersecurity. This framework is designed to provide a structuted approach when reviewing an existing cybersecurity program. The Framework Core provides five key outcomes, Identify, Protect, Detect, Respond and Recover. The framework then breaks these outcomes into categories and subcategories while providing the titles of relevant reference documents. Risk Management

In this excercise, select a specific category and then subcategory. Below is a breakdown of how an organization could addresses these subcategories.

Function Category Subcategory Implementation
PROTECT (PR) Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT-1: All users are informed and trained
  • Every user must complete mandatory phishing training
  • New hires are required to attend a security introduction
  • Employees are made aware when security policy changes are enacted
  • Easy to read security policy snapshots are provided
  • Employees are involved in fake phishing campaigns
  • Actual phishing campaign emails are circulated to employees as an example
  • Monthly town hall meetings discuss organisational security posture
  • Employees are given the opporunity to provide feedback and reccommednations
PR.AT-2: Privileged users understand their roles and responsibilities
  • Higher level users are briefed on the scope of their priveleges
  • Admin users are required to follow Priveleged Access Management PIM
  • Changes to user responsiblities are communicated
  • Role reference is provided to all employees, listing the name and descriptions of all roles
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
  • Third party stakeholders are provided with least privelege access
  • Roles and responsibilities are clearly outlined in contracts
  • Changes to responsiblities are communicated
PR.AT-4: Senior executives understand their roles and responsibilities
  • Senior Executives are given clear roles and responsibilities within the cybersecurity program
  • Critical roles, i.e. Incident Response, are involved in excercises and practice runs
  • Senior Executive roles are communicated to the rest of the organisation
  • Changes to responsiblities are communicated
PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
  • A clear organisational hiearchy diagram is provided
  • Physical and cybersecurty personnel are fully briefed on their roles and responsibilites
  • A clear process for incident escalation is provided
  • All roles are involved in frequent practice excercises to encourage preparedness and improvement
  • Roles are flexible and modified when organizational change occurrs
  • Changes to responsiblities are communicated

16.3 Compliance Auditing Tools

In this section I will review an aspect of the the Payment Card Industry (PCI) Data Security Standard. Specifically, I will analyze the requirements of password construction from section 8.2.3 and how to determine wether an organization is in compliance with this requirement.

According to section 8.2.3 passwords must contain a minimum length of seven characters and contain both numeric and alphabetic characters. In order to verify these settings there are several measures which can be employed. The first step would be to verify the organisation’s password policy. This policy should be an easily accessible and version controlled document. After checking the policy document, the next step is check compliance in all areas the password policy would be employed.

Verifying the password policy is deployed at the user layer is a key step. Assuming the environment is using Active Directory, the default password policy can be checked with the following powershell command:


Depending on the environment, Fine-Grained Password Policies (FGPP), a feature allowing different password policies to be set based on active directory security group members could apply. FGPP password policies can be listed with the following powershell command:

get-adfinegrainedpasswordpolicy -filter *

Once passsword complexity is assessed within Active Directory, the next step is to verify password compliance on other platforms. For example, checking network devices, third-party login portals, software tools, mobile devices and application logins. The range of platforms to check here would vary significantly depending on the organisation.


A glossary of all the terms, acronyms and slang I run across for this chapter.

Policies Highest-level statements of management intent, compliance is mandatory, contains general statements regarding cybersecurity objectives
AUP Acceptable Use Policy
Data Ownership Policy States the ownership of info or data created by the organisation
Data Retention Policy Outlines what info the organization will maintain
Account Management Policy Describes the account lifecycle policy from onboarding, active use to decommissioning
Password Policy Sets password policy requirements
Continuous Monitoring Policy Describes the organizations approach to monitoring and disclosing to members how their data is monitored
Code of conduct Describes expected behaviour of employees and affiliates
Information Security Policy Provides high-level authority and guidance for the security program
Standards Set mandatory requirements for how an organization will carry out higher level policies, may change more frequently than policies
Procedures Detailed, step by step processes which must be followed in certain situations, ideally should provide little ambiguity i.e. monitoring or evidence handling procedures
Guidelines Provide best practice and recommendations for a given concept. Compliance is not mandatory, guidelines are offered to provide helpful advice.
Exceptions and Compensating Controls Need to be governed by a policy framework laying out the specific requirements for receiving an exception and the individual or committee with the authority to approve it
HIPAA Health Insurance Portability and Accountability Act, sets security and privacy laws that affect the healthcare industry
PCI DSS Payment Card Industry Data Security Standard
GLBA Gramm Leach Bliley Act, sets laws for financial institutions.
SOX Sarbanes Oxley Act, sets laws to publicly traded companies and requires these companies have IT systems with a high level of assurance
FERPA Family Educational Rights and Privacy Act, sets security and privacy controls for educational institutions
Cyber Security Frameworks Layout the overall framework for developing a cybersecurity program. NIST, ISO 27001, ITIL, COBIT
ISO 27001 Information Technology Security Techniques Information Security Management Systems Requirements Standard
COBIT Control Objectives for Information and Related Technologies
Security Control Categories Technical, Operational, Managerial
Technical Controls Enforce CIA using technical controls, i.e. firewalls, IDS, encryption, etc.
Operational Controls Enforce CIA using processes to manage security include access reviews, log monitoring and vulnerability management
Managerial Controls Procedural controls that focus on risk management, i.e. risk assessments, security planning exercises, incorporation of security into change management
Preventive Controls CompTIA Control Type -- Stop an incident before it occurs
Detective Controls CompTIA Control Type -- Identify events that have already occurred
Corrective Controls CompTIA Control Type -- Remediate issues that have already occurred, i.e. restoring from a backup
Deterrent Controls CompTIA Control Type -- Aim to deter and prevent a violation from occurring
Physical Controls CompTIA Control Type -- Security controls in the physical world, i.e. fences lighting, alarms
Compensating Controls CompTIA Control Type -- Controls designed to mitigate the risk associate with exceptions to a security policy
Audit Formal review of an organization's security policy
Assessment Less formal reviews of an organization's security policy, conducted by an organization itself for process improvement