Amidst all the different security technologies, such as firewalls, antivirus, encryption, etc. an entire critical category, which may be the most important, becomes either an afterthought or even ignored. In fact, without careful work in this area your other security devices and applications will be ineffective.
Let’s be clear. Organizations who fail in this area are many times more likely to suffer a costly data breach. Not 50% more likely, or twice as likely but a breach becomes an almost certainty.
What is this all-important area?
WAIT WAIT WAIT WAIT! Before you zone out let me make one recommendation. Read the rest of this post with a beginner’s mind. Read as if it’s new information. Because some of what you’ll see here certainly IS new…and the rest has become so routine that we check it off in our minds as ‘already done’ even though that may not really be the case.
First, I know you have some security policies. They may include and Acceptable Use Policy (AUP), password policy, social media policy and many more. Such policies are important and necessary, but they’re only part of the picture. In nearly every NIST Cybersecurity class I teach students reference these types of polices, but express surprise when I show them two that they’ve not seen before. Surprise turns to agreement when I explain that ALL their security rests on these two, previously unknown, or at least downplayed, documents.
Let’s cover each one:
Security Controls and Purposes
Based on the testimony of clients from nearly all 16 critical infrastructure sectors (as described in Presidential Policy Directive 21) I have only seen one organization with such a document in place. Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets (Wikipedia). The SCaP (Security Controls and Purposes) lists each technical control AND the purpose(s) it serves.
Reasons a SCaP is critical:
- Without a comprehensive list of all technical security controls an organization cannot quickly ascertain which technologies secure which assets and how.
- The SCaP clearly identifies overlapping technical controls based on their purposes. Such identification triggers an analysis of whether such overlapping controls allow for improved security with minimal impact on workflow or contain unnecessary resource intensive redundancies.
- A SCaP can be combined with the WISP (more on that in the next section) to highlight gaps in technical controls that need to be addressed.
- The SCaP can be easily referenced for external audits to prove compliance or demonstrate an opportunity to meet compliance obligations.
- A SCaP can be an underpinning document for creating executive level presentations on organizational cybersecurity.
- The SCaP serves as a tool for planning employee training on technical controls.
Written Information Security Program (WISP)
Whereas the SCaP lists technical controls and their purposes the WISP is the overarching document for all information security in the entire organization, whether technical or business focused. A WISP includes both the plans for information security and the associated polices. The SCaP, all existing security policies, alignment with security frameworks, compliance obligations and methods for handling incidents are covered in the WISP.
A WISP makes understanding of the current security implementation and creating an improvement plan possible. Without a WISP, organization information security is compliance based and haphazard. Such security isn’t truly secure, even though it gives the appearance of security to those who don’t know better.
The greatest challenge with creating a WISP may be understanding the purpose of the document. Although it contains (or links to) all other security polices and the SCaP the WISP is WAY more. The SCaP is a document about technology and how the technology provides security. Security polices are about what people are allowed or not allowed to do and how we carry out those polices via technical and business controls.
A WISP is a how document. How we create a security program, how we use it to secure our assets and how we continuously improve security. The WISP includes alignment to frameworks, such as the NIST Cybersecurity Framework and the NIST Risk Management Framework as well as references that may include the Center for Internet Security 20 Critical Controls and the ISO 27002:2013 guidance for business controls.
Reasons a WISP is critical:
- Without a WISP there is no overall guiding document for information security. Security is developed in a haphazard and or compliance focused manner.
- The WISP allows the organization to see information security from a big picture point of view. It effectively is the cybersecurity strategy.
- The WISP shows gaps in both technical controls and security policies.
- A WISP ties together information security for all aspects of the organization, not just IT. Human resources, legal, public relations, external suppliers and every other entity of the business is addressed.
- The WISP can be quickly summarized for presentation to executive leadership to explain needs for improvements to cybersecurity or to prove the capabilities of the existing cybersecurity program.
- The WISP provides a guide for properly managed security related spending.
In cybersecurity we tend to focus on tools, hardware and software. But even more important is understanding the purpose of the tools and the overall security strategy of the organization. The SCaP and WISP provide these capabilities in a way not seen in tools or other documents.
A complete cybersecurity deployment requires more than technology, it requires a plan. Taking the time to document your security systems in a SCaP and how you will implement and improve cybersecurity in a WISP could be the difference between continuing to operate a healthy organization that serves customers and or clients with confidence or becoming the next example of a major data breach.
Want to learn more about cybersecurity and creating a cybersecurity program that includes a SCaP and WISP? Check out our NIST Cybersecurity Framework courses!