CCT 240: Cybersecurity Documentation: Policies, Standards, and Procedures (CISSP Domain 1.7)

Show Notes

Ever wonder why organizations with robust cybersecurity teams still fall victim to devastating attacks? The answer often lies not in fancy technology but in something far more fundamental: documentation.

In this eye-opening episode, Shon Gerber takes listeners into the critical world of cybersecurity documentation hierarchy, revealing how properly structured policies, standards, procedures, and guidelines form an organization's first and most important line of defense against threats.

The stakes couldn't be higher. As Shon reveals, cybercriminals stole a record-breaking $6.6 billion from US entities last year - a shocking 33% increase from the previous year. Business Email Compromise alone accounted for $2.7 billion in losses, while individuals over 60 remain the most vulnerable demographic.

What separates organizations that survive these threats from those that don't? Proper documentation that actually works rather than gathering digital dust. Shon breaks down the hierarchical relationship between different types of security documentation, providing real-world examples from healthcare and financial institutions to illustrate how these documents should build upon each other to create comprehensive protection.

You'll learn why policies should represent management intent, standards should specify requirements, procedures should provide step-by-step guidance, and guidelines should offer flexibility - all while avoiding common pitfalls that render documentation useless. Shon provides practical advice on creating documentation that's clear, accessible, and actually used rather than just created to appease auditors.

Whether you're preparing for the CISSP exam or working to strengthen your organization's security posture, this episode provides invaluable insights into creating documentation that transforms from a bureaucratic burden into powerful protection. Subscribe to CISSP Cyber Training for more expert guidance on mastering cybersecurity essentials and advancing your career in the field.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Introduction to CISSP Cyber Training
• 1:43: Cybercrime Stats: $6.6 Billion Stolen
• 7:35: Introduction to Domain 1.7
• 15:04: Policies vs Standards vs Procedures
• 22:51: Creating Effective Security Documentation
• 31:23: Industry-Specific Documentation Examples
• 41:10: Common Documentation Mistakes to Avoid
• 46:21: Closing Thoughts and CISSP Resources

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:26

All right, let's get started. Hey y'all, sean Gerber, with CISSP, cyber Training, and hope you all are having a beautifully blessed day today. Yeah, today we are going to be talking about Domain 1 and Domain 1.7, where we're going to be dealing with policies, standards, procedures and guidelines Riveting. It's going to be amazingly riveting, I guarantee you, because policies and procedures are always super incredibly riveting I can't think of the right word but enticing Some other big adjective that you could possibly use. But, that being said, before we get started, I wanted to pull up an article, and I first got stuck on an article that I was about ready to just throw up in my mouth. But obviously this Peteete heggseth scans uh signal scandal issue. This is in a wired magazine. I started off with this and thought, oh yeah, okay, my gosh. I mean, you got to know there's, there are smart people somewhere in dc and you're going. What are you people thinking?

Speaker 2: 1:18

and I know, half of the time when you're dealing with news, uh, the truth is somewhere in the middle. But this was like just kind of making my my boil until I was scrolling down and then I decided, as I'm scrolling through the pages, then I go, oh, what is this bullet, you know? Obviously it's a little bit of clickbait for me, which is great because this came up, which is much more enticing, related to cyber criminals, stole record-breaking 6.6 billion from US entities. So, hey, I pulled that one up and that was actually very, very interesting. So this came out of the FBI's Internet Crime Compliance Center, or IC3, and we've all talked about them in various podcasts that we've had within the CISSP, cyber Training.

Speaker 2: 1:58

But one of the impacts that I, when I read this article, I was like just, I mean, as you read these articles, you're not shocked, right, but you are shocked, you're just stunned at the size and scope of all of this. Well, what they basically said is that in 2024, there was a 33% increase right In losses from 2023. So you're talking a 30, that's a huge number. I mean, we're not even talking. In my business, you're happy to make 12% of your margin, right? If you make 12%, you're making money you're doing well, but when you're talking cyber criminals, they had a 33% increase compared to what they had in 2023. So again, I gotta make sure I get my numbers right 2024 was a 33% increase from 2023. So obviously, some of the key points of this article which you guys can go check out and I think you'll, you'll probably enjoy, but some key points around this are phishing, spoofing, becs you know your 10 standard business email compromises, ransomware and so forth.

Speaker 2: 2:58

But just to kind of throw a little bit of you know idea around, what's all happening here is the investment fraud. So this is involving cryptocurrency. They had the greatest financial damage, which was totaling around $6.57 billion in last year. So what it comes down to is that people are going hey, I would like to order, I want to get in crypto and I also want to get into cyber. So, hey, let's do that, let's do this, and as they do it, what ends up happening is they give their money to these people who really don't that. They have no plan on doing any sort of investments. So it's very telling. The other part of that was interesting is that individuals over 60 were the most targeted demographic and thus the highest financial losses. What does that mean? Well, I'm fast approaching 60. So what are people doing? They're going. Well, maybe I don't have enough in my retirement account to be able to retire. And so what do they do? Well, hey, crypto's on fire, let's go. I'll do that. Let's invest my money. Whatever little money I have left, I'm going to invest it in this crypto stuff. And what ends up happening? Yeah, not so good. They end up losing it. So that is really crazy. They also made a comment that cyber-enabled fraud accounted for nearly 83% of all losses reported to IAC3 in 2024. So that cyber-related stuff is a monster.

Speaker 2: 4:23

So you all, as you're studying for your cissp, you guys are the front line and helping people get deal with all these issues. Now, if you're in a business, one of the things that I think is is telling and this is something that you can't really put um, any sort of of control in place other than training and awareness as it relates to business email compromises. So now, business email compromise they talked about in this article was around $2.7 billion. So if you teach your executives and you teach your leadership related to how to handle business email compromises where someone gets in the middle of an email and the email chain and they act like somebody else saying hey, please wire some money to XYZ. Happens to supply chain, happens to main CEOs, if you can get into that supply or into that group. So where you are training your CEOs, your senior leaders, on what to look out for, this number dramatically drops. There isn't much you can put in place. I mean, there's probably some sort of controls out there, a little bit. You have an easy button, you mash a button and it hopefully fixes your BEC problem. There are some of that with some of your filters that can potentially reduce some of the amount of this, but there's really not much more than just education and awareness to train your CEOs what to watch out for in this space.

Speaker 2: 5:40

That's $2.7 billion. That's a lot of zeros. So again, I'm just shocked, just shocked totally. I mean, we I know these numbers were there, we all knew these numbers were there. It's just the fact that it's just blowing my mind the fact that there's this much money and then there's things in here that are happening to people. They're losing it and they don't know what's happening. They don't, they won't have any clue. So again, you, as cyber cybersecurity professionals studying for your CISSP, it is imperative, absolutely imperative, that you help these people understand the risk to their organization. And again, what it does with you is it makes you a much better security person within your organization. It also makes you much more marketable, and it's the right thing to do, because these people are targeting people all the time.

Speaker 2: 6:27

I had an example of that with me just recently, where there's some things in our my wife's business that we were working on and I had some people phone call me trying to get me to go through this process, and I actually talked to him on the phone because I had submitted for this type of thing with the IRS, and I got somebody called me back and I'm like, really, this is interesting. And I talked to the person on the phone and the person acted like they knew my account. They knew all these things. I'm going, this is just seems fishy, something doesn't seem right here, and so what ended up happening is then they sent me a text and said, hey, just put in your banking information. I'm like, oh oh, this is so, so fishy, so bad. And so the point came down to is is that anybody can be tricked, and they have call centers specifically designed for these people. So you got to watch out for it. There's no one is immune to it, but you as a security professional. It's up to you to help them in this entire process, help your people, help your peeps, help your company and protect them and protect you in this overall cyber world that we live in.

Speaker 2: 7:29

Okay, let's go ahead and get started into what we're going to talk about today. Okay, so this is domain 1.7 develop, document and implement security policies and standards, procedures and guidelines. So I'm dealing with this right now in a company that I'm working for as a contractor and it's's very, very interesting. You know, I will tell you that understanding the taking, the CISSP, is one thing taking the exam but understanding how it's being deployed through an organization is another. And working through when I was in manufacturing, I had, we had a way we did business right, so these made sense. But now I'm working with a much different organization and so because of that there's, I have a different perspective that I did not have before in the manufacturing space. So I can go tell you how manufacturing did it, I can tell you how the book tells you to do it, and, again, plenty of years of going through this. But now I have another perspective with the financial institution. That is just a different animal, and then I also did it with a healthcare organization as well. So very, very, very different.

Speaker 2: 8:25

So here's some key concepts. We're going to talk about Policies and standards. These are used synonymously but they're not the same. You'll hear this going I'm using a policy, I'm creating this policy, and then they turn around and use language for a standard. They're not the same, but they kind of people blend the words together. Also, understanding the terms is an important part of cybersecurity and compliance. It's really important. Depending on the organization you're in, it's more important than others. Manufacturing it was important. We had requirements around it, but it was like, okay, it's there, but it wasn't to the level it is. In the healthcare industry it isn't the same as it is in the financial industry Very different, but the concepts are the same.

Speaker 2: 9:08

Confusion around naming again can be counterproductive. I've seen this Now I'll be an example that I was talking to a financial company and they made this term tranche. It's in this tranche. I'm like what the heck is a tranche? This is what we talk about on CISSP, cyber Training. Break it down to the third grade level.

Speaker 2: 9:25

You want to have the ability to communicate with people and understand what that is. So my wife, she's laughing Brilliant. It was a brilliant joke about it. A tranche is a French trench. It's a tranche. No, it's not a French trench, it's actually like a phase. So the financial industry used that term, tranche, I guess. So now you know, naming can be very confusing, so you need to make sure that you use a similar name between everything. Break it down. People may be very they are very smart, but they may use big words and sometimes those big words they assume that everybody understands what the big words mean. I'm a pig farmer by trade. I don't know big words and therefore I don't know big words. I ask questions because I'm not very smart. Right? The point is that if I can't understand it, I guarantee you people in the room can't understand it as well.

Speaker 2: 10:12

Ensure the best cybersecurity practices and plans. They all need to be hierarchical. You've got to have them in a hierarchical plan. We'll go through those in just a minute and they must build upon each other. They build and this is a foundational piece of any organization is understanding your policies, your procedures, your guidelines and so forth Cybersecurity and data protection. They again must focus on all aspects of the business. You can't just focus on doing the thing of policies and procedures for the sake of doing policies and procedures. They've got to focus on any or different aspects of your company and where you make your money.

Speaker 2: 10:46

Now, as you deal with security policy, these are high-level statement of management intent, those. What is the management plan to do? And we're gonna get into some more details around each of these, but it establishes the requirements to guide your decisions, achieve your outcomes. What is the overall plan from the CEO or the board of directors? It is the overarching plan. So cybersecurity will have its own policy. Now, typically, that is a cybersecurity policy for your company. You wouldn't have a typically this doesn't mean you won't, but in many cases you wouldn't have a very specific like a PAM policy where you have your Privileged Access Management policy. Now, you may have a standard or potentially some procedures around PAM, but you wouldn't have a PAM policy per se in most companies. Some companies who are dealing with this specifically may have that for their needs, but it's something that's formally established by the CEO or the board of directors.

Speaker 2: 11:39

Now, as a CISO, I would go and make this for my CEO or I would make it for my CIO and they would then be the ones that would write off on the policy. Now, depending on the size of the organization, it could come from me as well. In our organization previous life, they brought it all the way up to the CEO or to the CIO on any of these specific policies. They did not come from me, because it would. In some respects it would be kind of a if the CISO is giving it out. It's now just a security thing. It's not actually a company-wide thing. So you wanted to get it up high enough where people would respect it to be a company-wide policy. Now it defines a specific scope of an organization and it implores clear and concise directions. What does that look? But it is big. It's big from an overall view standpoint. It defines the importance of security and the importance of protecting company assets. So again, you want to call all that out why it's important for an employee to be able to do this, why do they have to be aware of security? Why do they have to manage it.

Speaker 2: 12:39

And these exceptions to the policies do happen, just like everything we talk about in this world. There are exceptions. However, they can be very rare and if you want to, you want to make sure that? Well, not, if you want to, you really need to document any exceptions that are added to this policy. So if you have a specific situation where in your policy, everybody must have a password of 55 characters, right, let's just say that's the case. They must have complex passwords and with an expectation that it's less than, or it has to be more than, 12 characters. If you have a situation where you have it, allow eight characters, there would have to be an exception, and there might be some equipment that can only have eight characters. So therefore, that exception would need to be documented.

Speaker 2: 13:23

Another one I have as an example on the slide is around formal policy around scanning systems In OT or operational technology networks. Scanning can be a big problem. It can actually cause them to roll over and die, and so, because of that, you would want to have some sort of exception to that rule. So, again, if it isn't granted, you must make sure you have a compensating control should be implemented, or I mean you want to. Should is a key term. You don't have to have it, but you need to document the fact that if you're going to allow an exception, what is the compensating control? Or are you just going to accept the risk for that situation?

Speaker 2: 14:00

So there's types of security policies. You have organizational security policy, you have issue-specific policies and then you have advisories. Now your organizational policies would be a specific business use case or need and they can vary between business units. They can vary between financial, healthcare, manufacturing. They all can be in different places. Now you may have a very specific policy, such as issue where you are sending money outside your organization, ie the business email compromise which we talked about. You have a policy that says if we're going to be sending money outside of our company, there have to be two people agree to this, and one must be the CEO or the financial person. The next person must be the CFO and they both must be in sign using DocuSign to make this happen. You can't just say, hey, billy Bob called up and said, yo, joe, please send the money. Now again, you can do that, but if you have some compensating controls in place, then you need to make. Well, you need to have some compensating controls, other than calling up Joe and saying, hey, send half a million dollars to XYZ, but just a bad idea, because in today's world, especially now with ai and ml, uh, we, you, you can jack up people's voices to the point where they don't even know who it is, and I was.

Speaker 2: 15:10

I mentioned this once before in in our podcast. There was a priest that was doing exorcisms and this is catholic priest I think it was catholic and he was mentioning how people. Now he has changed his, his, uh, overall scheme on how he's helping people, because there's folks that are scamming people out of money because of the fact that they've used his voice in doing this. So it's out there. You guys have got to be prepared for that. Also, there's advisory ones, obviously, around acceptable use activities and then USB usage.

Speaker 2: 15:42

All of those pieces are a part of your security policy and all of those can be deployed within your organization. So what are the hierarchical aspects of policies to procedures? So how this works is that you let's just start. You'll see on the slide there's like a pyramid looking thing. Now we're going to start at the bottom, the most basic, elemental part, where that defines the practices. This is the things that people turn knobs, they push buttons, they do all of these different pieces and that is a procedure. Now this is a prescribed set of implementation standards and guidelines. This helps all of these things build upon each other.

Speaker 2: 16:15

Now this is understood in many areas of what they call a SOP or a Standard Operating Procedure SOP. These are typically a step-by-step process in making these things happen. So if you go, if you have like a SOC and you have a way that you would go through and check to make sure that you have your spam filters in place, it's a step-by-step checklist that would walk you through that. I'm doing a reconnect SOP for somebody right now playbook kind of thing and that would be an SOP. That would be something that would be set up and you would go from how you're going to turn off a SASP or a service that you may have. How are you going to turn it back on. Those are different types of SOPs. Now, military regulatory bodies will commonly use SOPs, but it's not just them. It depends upon the organization and how they will use them. But just think of them as the most elemental piece of your organization. It's the step-by-step checklist that you would occur.

Speaker 2: 17:09

Then the next thing is and one of the points I want to have is your hardware, software, how to make changes. Again, it's a living document. That's the other part to think about. It is a living document within your company and it will be subject to change routinely. But you do need to make sure, as we get into the documentation piece of this, you do have revision control based on this.

Speaker 2: 17:30

They can be very onerous to create and maintain, depending upon where you put them. I will give you an example Keeping them on a SharePoint site in a PDF form and then having a Word document. Where you have a Word document, you then make it into a PDF. You then publish the PDF. That's very onerous. You may want those procedures in maybe something a little bit more fluid, like maybe just a web page per se. Right, you have a web page that has numerous types of procedures on it and they click to it. The downside with doing that is, if your web page goes down, do you have access to actual physical documents that you can do your procedures on? Ran out of this in the OT space as well. They actually had books, so they had it on a web page. I'm trying to think of the best way. But you could have, like a SharePoint site which gives you a web page. You could have it on a web page, but they also had printed off versions of each of these procedures because, in the event that the web goes down, you need a procedure to be able to look at and be able to do what you need to do. So, again, they can be onerous. They do change a lot and you do need to have a structure, a life cycle in place to make sure that as you're building these things, you have a way to put revisions and also publish new revisions.

Speaker 2: 18:38

Now a guideline is considered is really additional information and guidance. It's routinely not considered as a mandatory practice. You may get these into job aids, they may be some other thing. That is just helping you give you a little bit more context versus a checklist that you would have with a procedure. Now they recommend these on anytime you're implementing a standard or baseline. You'd have potentially a guideline to talk about that or a guideline to talk about the procedure itself. Specifically, they, if you look at the pyramid, they kind of the next step in a procedure, but they may flow between the standard and the control objectives, depending upon how you want to detail this out with the context. Again, they're more designed for users and other security professionals just to understand the bigger, broader picture of everything there.

Speaker 2: 19:24

Now the standard this is where the organization will set specific requirements. This is designed to specifically deal with control objectives and we'll kind of talk about what is a control objective here in a minute. Typically they're tactical in nature and they specify methods to meet the specific control. So you'll have control objectives in many cases built into the standard and how you're going to meet them. So some of the typical documents you'll have is you'll have a policy, you'll have a standard and then you'll have a procedure or a playbook and the control objectives will sit inside the standard. The guidelines will kind of help maybe give you context around the standard or on the procedures, but those are just kind of the way it's set up. Again, it depends upon your organization and how they play it out, but typically it's policy, standard, procedures.

Speaker 2: 20:10

Now the control objectives. These design the detail of the control. Specifically this defines the outcome that was to be achieved by implementing the control. And you may have the fact that MFA must be enabled in all external communications. That would be a control MFA, external communications. That would be in place in your standard. And so therefore, now it's defined that you must have a multi-factor and you must have now the control will be any external communication would be done with multi-factor, then you now have to have the implement will be any external communication would be done with multi-factor. Then you now have to have to implement. What tools will you implement to manage that control, that specific verbiage, that specific line?

Speaker 2: 20:48

And you guys are listening to this, probably going oh my gosh, this is so painful, and you're right, it is. And a lot of organizations will avoid this because it's painful. So what they do is they'll just go. We'll put a policy out there. Everybody, just do your own thing. Watch our policy. Don't do anything you shouldn't do. Let's move, and that's fine, and that will work for a while until it doesn't. And then, when it doesn't, you're going to be not happy. And the reason is is that going to stop? Is your policy going to stop people from not doing bad things? No, they're still going to do it. Is your standard or guideline or procedure is going to stop people from doing bad things? No, they're still going to do it.

Speaker 2: 21:25

However, if you don't have this documented and now you go to, basically and I've seen this, lived it where you now are going to go and sue somebody because they stole your stuff, well, one of the first things they're going to say, when you go to sue them because they stole your stuff? Well, do you have this documented in a policy or a standard or a guideline or a procedure? Do you have this documented anywhere? No, well, if you don't, then guess what? You're probably out of luck. So the point comes into is that you are going to have to deal with this, whether you like it or not, especially if you're dealing. As we get become more regulatory in nature, it's definitely going to become a bigger factor. So don't put this off. You need to do it, develop, develop the time and the energy and the effort to make it happen.

Speaker 2: 22:09

Now, as we talk about policy, high level statement of management's intent, what is your overall plan from your organization? And it's divine, divine, divine. Yeah, it could be divine from god, but no, it's not. It's designed to be implemented by all parts of your business or organization. So, again, you want it to flow through your entire company and that policy is the overarching piece of this. So again, just kind of a real quick synopsis of them and the importance of them policies. They establish authority, they communicate management commitment and they define the scope. This is the basis for accountability within your company Standards. They ensure uniformity. They help reduce the complexity of your organization. And then the interoperability big $10 word. Again, it's not third grade level big inoperability, see, I can't even say it, it's just the communication between them. Right, they're communicating between the different business units and allows them to help ensure that you have enforcement and auditing as you're going forward.

Speaker 2: 23:03

Now, one thing to keep in mind is the fact that, as you're dealing with financial institutions and with healthcare, audit is a big factor and having audit involved, they're going to want to see all this documentation. Having this defined makes audit happy. When audit is happy, you are happy. So you want to make sure you keep audit happy. Okay, did I say that? Enough Procedures these are designed to minimize errors.

Speaker 2: 23:24

Again, they want to have the point of that. You actually will go through each bullet. They're more of a checklist, like a job aid kind of thing. Well, not really a job aid, that's more of a guideline, but they're kind of an aid in training and so forth. They help guide you in a direction you need to go. Guidelines can be like a job aid. They offer flexibility, promote best practices. They kind of give you context about specific institutions.

Speaker 2: 23:46

Now, there's a thing called a baseline and this might be what they call a well, not what might they call it. They do call it. It's like a minimum acceptable security posture. I've dealt with baselines and minimum acceptable security criteria. When you're dealing with a large organization, it helps you identify what is the minimum standard that you want to have. This may be documented in a form or a guideline. It could be documented in a procedure, but it's a minimum acceptable security posture. Is there a perfect thing for this? No, you can do it. However, you want the key bullets to remember is policies, standards, procedures are the three main buckets you got to deal with your guidelines, your baselines and those other aspects of control. Objectives kind of all flow into this. But and I know this is a lot and you're going I don't understand all this. I highly recommend you go to CISP Cyber Training. You watch the videos that I have. It'll walk you through it over and over again. Listen to this podcast multiple times and it will help you kind of formalize it in your mind.

Speaker 2: 24:45

So what is the importance of defining this security documentation? I'm going to come back to this again Based on risk assessments. Depending on, like, if you're in the financial industry, you may have a risk assessment. You may have legal regulatory requirements that force it. You've got to have specific documentation, and this helps address specific issues or gaps that may be identified. I'm going to give you a good example.

Speaker 2: 25:06

I'm working with a gentleman right now Very smart man, super smart. He leads security for an organization. This guy's got it together right. He's got really good plans, he's got really good capabilities, good people, but his documentation stinks. And the point of it is is he's like, well, I don't need it, their auditors aren't asking for it. They ain't asking for it now, but they will ask for it. And if you don't, I had my CIO made a comment to me because I sometimes have a cluttered desk. You know, my desk gets a little messy at times and he came up to me and he says you know what Cluttered desk, cluttered mind and I'm like, well, I don't necessarily agree with that, but I get what you're saying right. The point of it is, if you don't have this stuff documented, it's, it's kind of cluttered desk, cluttered mind.

Speaker 2: 25:47

Uh, you need to document these pieces because they're super important. One it gives a legal issue that may come up. You're documented. Two, if you as the expert, let's say you are the person and you've got all the knowledge. You're on in a trip in Hawaii and now everybody's going. I don't know what to do because there's nothing documented. They're going to be calling you in Hawaii with you and your wife on the sandy beaches just relaxing, drinking a Mai Tai, and, yeah, then you're going to have to deal with that mess.

Speaker 2: 26:16

The goal is you got to document everything you just do, defining scope and audience, this clearly outlining each of the systems, departments, user groups. All of that is being defined with your scope and who your specific audience is, but it's also tailoring the language in your documentation to the level of detail. For the specific audit, as an example, the policy should be very high level, should be targeting the entire audience of your company. So you got to get again third grade level, maybe even first, depending on what your company does, but you got first. You know, if you're taking care of babies, maybe first grade, I don't know, but you got first to third grade levels and you want to do that from a policy standpoint. However, if you are the SOC and you're dealing with incident response, you're not going to put those different terms at the third grade level. They may be a third grade for a SOC analyst, but they're not a third grade for a CEO. He won't know what any of the stuff is that you're talking. He don't even know what a SOC is. It's something you put on your foot. He wouldn't know. So, therefore, you need to define the scope and the audience specifically for your organization. Again, I'm making generalities. He probably knows what the SOC is, but people don't, right. You say that word and they have no clue what you mean by that.

Speaker 2: 27:26

Content creation and collaboration. You want to make sure this is a key piece. I'm creating content for this third party, for this company, and it's good content. Just ask me right, it's awesome content. However, if they're not involved in this overall process, I'm going to be talking to them and we're going to go right past each other because I'm going to use words or jargon that may they may not relate to or understand and because of that, they're going to go. I don't get it.

Speaker 2: 27:52

So you need to ensure you have clarity. You need to make sure everybody's involved. All the teams are involved Legal compliance, hr, ciso any of the BISOs, which is your business information security officers any of those folks. All the key people need to be involved and you need to have clear, concise, unambiguous language. Avoid technical jargon whenever possible. Again, the technical jargon should probably be in the procedures and that's about it. You really want to keep everything else very high level, which makes it challenging.

Speaker 2: 28:25

So you also need to have an approval process. This is establishing a formal process for review and approval by the appropriate levels of management You've got to have the CISO has to approve it. The CIO has to approve it. Your director of security operations has to approve it, depending upon where it's at in the overall plan. If it's a procedure, probably director of security operations. If it is a standard, it's most likely the CISO. If it is a policy, probably the CIO. So those are the different pieces of it, right. So you need to have that done, and it also helps ensure accountability and buy-in from your specific leadership. They're aware it's not just Sean going off and doing his own thing in the corner. Just let Sean be, throw some pizza at him, he'll go do his stuff. Leadership is going to be accountable and responsible for much of the things you talk about.

Speaker 2: 29:16

As an example, I'm using a connect and reconnect playbook right now and that basically means is that if I'm dealing with, say, I'll use it in when I was working in the manufacturing space, we had connections with third parties and we would send them very critical data, and these third parties would be government entities. We would send them critical data around what's happening at our facility. If I'm sending them a document or just whatever and I have to shut it off because of a malware incident, I have to have a plan on how I'm going to shut it off. I also have to have a plan on who is going to approve this shut off, and in many cases it's a CISO. I could do that, but I documented that all the way up to my CIO and then he I was assuming that he then which he did bring it up to the CFO and the COO to make sure they were aligned with it.

Speaker 2: 30:01

Again, the approval process. I had the decision rights to do it. I could do it. However, I wanted to make sure that there was a paper trail from when I said I'm doing it, that everybody is aligned with what I'm actually trying to accomplish, because there are consequences that happen the moment you turn that stuff off Regulatory fines, people with guns start knocking on your door. All these things can happen to you if you do this incorrectly. So again, these are the years of knowledge that you won't get from just a book or a guy that tells you I'm going to make you a millionaire by just studying cybersecurity. That's craziness, but that stuff you're going to get with CISSP, cyber training. Sorry, just a little bit of a tangent.

Speaker 2: 30:41

You need to establish a schedule for periodic review, update based on changes in technology, threats, regulations and business needs. All of these things need to be done. You need to have version control and maintenance on each of these documentations that you put out Again, documenting the details. Part two your centralized repository. You need to store these things in a central location. I dealt with auditors and they want to see it, they want to be able to touch it, they want to know where that's stored and that the fact that everybody else has access to it as well. So a central location it can be whatever you want it to be, it just needs to be in a central spot and everybody needs to know it's there. It's not just Sean knows it's there and nobody else knows it's there. Everybody needs to know where it is stored at. Considering electronic document management systems for version control and access management, you may want that, I know in the legal space. Hummingbird is one that they've used, I've dealt with in the past but any sort of legal documentation, it's a check-in, check-out kind of thing. You may want that, depending upon your company and how detailed you want to get with your documentation Clear and concise formatting.

Speaker 2: 31:45

The formatting must be the same. Another thing to think about if your policy standards, all of those have the same type of formatting and it gets down to a procedure and the procedure doesn't look the same, most people are like, yeah, so what? It doesn't have to look the same. I agree it doesn't necessarily have to. Most people are like, yeah, so what? It doesn't have to look the same. I agree it doesn't necessarily have to, but it should flow the same. If you're having purpose, scope, outline, overview, all of those kind of buckets, roles and responsibilities, they should mirror going all the way down from your policy down to your procedures. And again, it's just helping with standardization. It's helping with people seeing something over and over again and they actually understand when they see it. So, as an example, they've seen a policy and they know what it looks like. You see a standard and they know what it looks like. Something comes up on a webpage that looks just like those two things. Well, it's probably some sort of documentation very similar to your policy and standards. Ah, okay, without even reading it, they can see that. So it's an important part.

Speaker 2: 32:39

Consider we talked about the formatting, communication and awareness. This is imperative. I'm running into this right now. You need to make sure that everybody's aligned with what you're trying to accomplish. People need to be aware, from a training standpoint, of what exactly is a standard, what is a procedure, what's in it? Why are you doing it? People need to know this because one it's just important for your organization to push this out through your organization and if they're not taught what it is, they're not going to really even use it.

Speaker 2: 33:08

Good example around this is the use of CRI, which is a cybersecurity risk institute, and it's a way that's kind of a framework that falls under NIST cybersecurity framework, but it's kind of in conjunction that financial institutions are using. I'm in this contract and we're helping them with their implementation of CRI is one aspect. But when I mentioned CRI to these people, they have absolutely no clue what I'm talking about. But yet the organization, the top level organization, says we are going to use CRI. But as you go down into the minions down below. Nobody even understands what it means. So it's imperative that you have communication and awareness around.

Speaker 2: 33:42

What is the overall plan? Use various training methods such as internet, internet postings, training sessions and then email notifications again, getting this information out to people. Training and awareness programs we talk about that. Again, it's imperative that you do those and it helps reinforce the understanding and compliance throughout what's ongoing within your company. Imperative, imperative you must do these. I know people don't like to do them, because you've got to go talk to people and you've got to constantly be yapping and you've got to go. It's one more thing I've got to do on my list of 8 million other things I've got to do. I get it. You've just got to do it. Just suck it up, buttercup, get it done.

Speaker 2: 34:15

Integration into business processes you need to make sure that as you build in these policies, procedures and guidelines, they build them into your business processes as well. Workflows I see this time and again. Nobody builds a process or a workflow, they just kind of go yep, here's a document, go away. I'm going to continue doing what I'm doing and again, that can work fine in smaller organizations, but as your organization grows, that will not work. You also may not want I'm going to have a process for this and a process for that and a process for this. That's just too much. But there's some things you need to have a process for, such as business email compromise. How do I deal with moving money? That's a big one. You want to have a process for that. You want to follow the process behind it. Multi-factor authentication Provisioning new people within your organization you need to have a process on how to do that. Storing credentials in a PAM Privileged Access Management System you want to have a process on how to do that. All of those things. I'm beating the drum on this, but they're imperative that you do build these things out within your company. So it's just part of doing business.

Speaker 2: 35:23

Enforcement mechanisms you need to have clear consequences for noncompliance with mandatory policies and standards. Again, you got to have a way to beat people over the head with a stick not physically. You don't want to hurt them and that would be called assault. We don't want that. But you got to have a way that you can then enforce the fact that you are saying you must go do, son, you must go do, young lady, what I'm telling you to do? Man? I just sound like an old crusty fart when I said that you must go do this right. So therefore, and there's consequences If you don't do this, you will lose access. If you don't do this, you will be fired. Those kind of consequences need to be aware of them. Implementing technical and administrative controls to support the enforcement right. You check off. You do too many emails, phishing attempts and you get caught. Too many times you emails phishing attempts and you get caught. Too many times you now lose network access. Well, if you don't have network access, you lose your job, so on and so forth.

Speaker 2: 36:13

Monitoring and auditing compliance you may have auditors that will be looking at things like this and they are going to be asking this. They're going to be monitoring ensuring that you are adhering to your policies, standards and procedures. You publish them, you make them. They're going to hold you to it, not just hey, this is shelfware. I'm putting it out there. I made it. Everybody look at it. It's pretty. No, that's not it. They need to have policies, standards and procedures. You need to monitor those, and then you conduct regular audits to identify instances of noncompliance and areas where you can improve. Again, audits are an important part of this whole process and it's I hate to say it, but you like going. I got people on top of people on top of people and, it's true, especially dependent upon the organization you're in.

Speaker 2: 36:55

Now, some organizations you don't need that, right, if you're not regulatory requirements, you don't want to have to deal with some of those pieces. You may not have to have the auditing and extra additional aspects, but if you are highly regulated in industry, yeah, you're going to need all that, okay. So in the health care industry, we're going to need all that, okay. So in the healthcare industry, we're going to kind of walk through a couple different things and this I want to have some examples for you. So we're going to talk about a policy, an acceptable use policy for electronic health records. So you would want to make a policy on acceptable use, what is considered acceptable use for healthcare records, and then you want to call out what would be like privacy, data integrity, compliance with HIPAA. That is an overall policy around acceptable use. Now, it could be acceptable use for BYOD. Bringing your own device Could be acceptable use for using a company equipment. It just really depends.

Speaker 2: 37:45

A standard would an example of that would be strong authentication standard for accessing patient data. Do you have multi-factor authentication? And you must. It mandates that you have multi-factor for all personnel accessing EHR, electronic health records or other systems that have PHI protected health information. So again, that would be. So you start up high, you've got your acceptable use, you've got your now MFA with your authentication.

Speaker 2: 38:14

Then you go into a procedure. This outlines step-by-step what the employee must do if they want to. They suspect that there's a security incident that may involve PHI. How are they going to do it? Who are they going to notify? What is the phone number? What is the email? All of those things would be a procedure, a step-by-step guideline. They also can you can use the term playbook, might be something similar to it and then a guideline. This is for secure disposal of electronic devices containing PHI. How would you do this? If you're going to wipe or destroy hard drives, wipe or destroy BYOD devices, how are you going to do that? That would be what we would consider a guideline.

Speaker 2: 38:44

Now, again, all of these are just subject to whatever organization you're in, but you can see the bigger picture as it goes from policy standard procedures and they kind of work their way down. Now one thing I would recommend is get with your organization to make sure that you have the same terminology. And I'd say I've been with companies that have said I have a policy, I have a standard and I have a playbook and I have a program that's an overarching plan of my entire company. You got to make sure you understand that you're using the same verbiage for your company. Policy and standards are pretty similar, but I have seen differences between procedures, playbooks, checklists. They will have a job aid. It's kind of like your guideline, but they'll have different terms based on what you're using.

Speaker 2: 39:27

Now we're going to deal with financial industry. What is that? Do you have a data classification policy which could be set up specifically around your policy, and this would categorize all financial data based on sensitivity, confidential, restricted, public, top secret, however you want to do it, and then they would define these security controls for each category that it meets GLBA or PCI, dss, nydfs all of these different types of financial pieces are in your data classification policy. Then your standard would be an encryption standard for data at rest or in transit, so like if you have data that's being sent somewhere, how should it be protected? What is the protection mechanism that you're using for that? Does it require long key links? Does it require large passwords? What does that maintain? Is there specific algorithms it has to use and so forth? That would be the standard.

Speaker 2: 40:17

Then a procedure would be around processing wire transfers. What are the steps to avoid BEC type situations? These are the steps you got to verify. I call Bill, bill calls Fred, fred calls George and they all have to agree through DocuSign that we're going to send a wire transfer. That would be a procedure and that would be done specifically for dealing with high value transactions Guidelines. This would be like a secure remote access for employees. If you're using a VPNs or any sort of type of authentication that's coming into your company. These are some guidelines on how to use them. Here's how your endpoint security works for your company.

Speaker 2: 40:54

All of those kinds of pieces would be in a guideline Again policy standards, procedures and guidelines. This is just using a couple snippets. It's not all be all, but it gives you an idea of what you're trying to accomplish when it comes to these various pieces of this documentation. So now some other items to consider Again. Consider security minimums, which you kind of talked about again at the beginning. What are your cybersecurity minimums? These can be very specific for databases, servers and so forth. You may have a minimum expectation set up for servers, minimum expectations for desktops. That could be a part of this overall standards process and you may want to document that. I would highly recommend you document that within your overall program. Again, policy standards and controls are expected to be published for anyone within the company. So your policies, your standards and your controls are based in. Your standards are designed so that anybody who reads it can have an understanding around it. You want to be clear. So if it's for anybody within the company, the verbiage needs to be very focused on what you're trying to accomplish and avoid acronyms at all costs.

Speaker 2: 42:00

Essentially managed by potentially a GRC or IRM platform. What does that mean? You may have a governance, risk and compliance platform that all your data is stored into and if you want to get the document out, you publish it and then you may check it out type of thing. They're typically published, maybe potentially as a PDF, in that format. That's a good place to store them in your GRC platform versus on a webpage. That's again for your policies, procedures and so forth. If you can get procedures in there, I would recommend it. That's again for your policies, procedures and so forth. If you can't get procedures in there, I would recommend it. But again, central location of some kind is really, really important. If you have to have two locations because your procedures they won't allow you to put it in there, then just limit it to two. All my document stuff for my company is in one and all my checklists are in another. That's fine too, but it just needs to be well known by everybody in the organization.

Speaker 2: 42:52

Some things to avoid. Again, one document that covers all cybersecurity aspects of business. I have a policy, a standard, a procedure all in one document. Yeah, don't do that. That would be a bad idea. Blending high-level policies with others, such as procedures, can cause confusion. And again, you're going. Well, I just have documents for the sake of documents. You are correct, you have a lot of documents, but you've got to put it down because we as human beings need something like that. You need to be able to step it through, step by step by step. Provide all documentations to everyone. Everyone within your organization needs to have access to these documents. Specifically Now, procedure documents may or may not be available. You may have a set of procedures that you want to push out to everybody so everybody can see them, but you have your super secret hidden menu items off to the side.

Speaker 2: 43:39

I'm kind of torn on this whole thing. I've seen organizations that have done that. Personally, if everybody in the organization needs to know how you configure your spam filter, I don't think they need to. I think that's a very specific thing for you and I don't think it needs to be published by everybody your standards, your control objectives, your policy. Yes, most definitely Playbooks. That depends on the organization, but there might be situations where, if you're going to do that, where some playbooks or procedures can be out there for everybody to see, then you need to keep everything in one location. So, as an example, you wouldn't have one within a GRC platform, one within a SharePoint platform that's open to everybody and another one within another SharePoint that is limited. I would consolidate that. Take that down to two instead of three. So something to consider in that regard.

Speaker 2: 44:28

Defining documents to be audit ready thus is not a useful document, okay. So this is the problem. Right, I made this document and it's got all the right language in it. It's audit ready. If they audit it, it's gonna look amazing, they're gonna pass me. It's not useful. Okay, that is just not useful. Auditors are people just like you. Be concise, be clear, tell them what you're trying to accomplish and make it a document that people will reference and use, because otherwise you're just making work for yourself and what you're doing is you're trying to put something out there to go well, hey, if I do this, I'll keep the auditors away. No, that is not the approach with this. This will not work. If you do that, I mean it'll work for a period of time, but then something's going to happen and you're going to go. I wish I didn't do that. So you need to just go from the beginning, rip the band-aid off and do it the way you should do it, and then you don't have to worry about it.

Speaker 2: 45:17

Cookie cutter approach with documentation on policies, control objectives, etc. Okay, so I say that and that they need to be the. The documentation needs to flow, it needs to be consistent, but you don't just go copy paste, copy paste. I've seen it where people have had documentation and they pull it right out of the NIST cybersecurity framework and they put their control objective in there exactly how it would read within the framework, and it doesn't really help and what ends up happening is people don't really even understand what that word means. They don't understand what the control objective means. You have to take these control objectives that are out of NIST or out of the frameworks that you deal with and put them in your standards and word them in a way that meets what you're trying to accomplish, so that people can read it and go oh yeah, that makes total sense, versus going MFA, tied to the fourth power, tied to this, tied to that is for only smart people who really can understand this sentence. Then you're going oh, that's not a really good control objective because people like me would go I have no clue what you're talking about. So an important piece of that you need to make sure that you understand what you're trying to convey. These are some of the frameworks. Again, you have the NIST cybersecurity framework, cri 800-171, 853, 27002 for ISO All of those are available.

Speaker 2: 46:30

You can get all that stuff online. You can get access to it. I highly recommend if you're going to be in security. Yes, you got to read this stuff. It's boring, it'll put you to sleep at night, but it's very, very important that you understand it, because you will be held accountable to it and you're also taking your CISSP test. Ah, guess what? It's probably going to be on the test in some form or fashion. So understanding it is going to be an important part of what you're doing. Okay, that is all I have for you today.

Speaker 2: 47:01

And again, I'm excited to see CISSP Cyber Training. You need to go to CISSP Cyber Training. You need to check it out. It's all there and available for you. I've got a mentorship program. I've got just. You can get access just to the document, all of my test questions. You can get access to all my content, my videos. All of this stuff is available. You can read and study it for it on your own.

Speaker 2: 47:17

So, again, cissp Cyber Training is designed for the self-study person. This is designed specifically for you that are wanting to take the CISSP but you don't want to spend $15,000 on going to a training program and you have to spend $15,000 on going to a training program and you have maybe don't have the time to do that. This is designed specifically to give you that benefit and I don't charge a lot for my videos because I want you to have the access and have it available to you. However, you've got to put the time and the effort into it. You've got to focus on studying for this exam.

Speaker 2: 47:45

I wish I would have had my blueprint that I've created specifically for CISSP cyber training, and I wish I would have had it, because I went through and studied the book from beginning to end, writing notes, doing all of those things over and over and over and over, trying to understand what the heck I'm trying to get here, and I still failed the test. I didn't have this level of knowledge. I didn't have someone teaching me this. This is 20 plus years of security experience that I'm trying to give you that will help you pass the CISSP. I deal with CISSP stuff on a daily basis, every bit of domain aid. I'm dealing with it all the time, every single day.

Speaker 2: 48:20

This is stuff that you can use to help you pass the test the first time, and if it's not the first time, that's okay too. It'll help you pass the darn test, because that's what it's about. You need to get the test so you can move on and enhance your cyber career and help protect all these people that are being taken advantage of by these cybersecurity nut jobs Not cybersecurity the stealer people, the people that are stealing your stuff right, those guys, they're crazy, they're stealing stuff. You need you to help them. All right, beat that drum to death. See, my third grade education did come out right there. You saw it. All right, have a wonderful day and