4 Important Considerations When Writing Your Cyber Risk Management Policy

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

The cyber risk management policy answers this question: “What is our risk management philosophy and methodology based on our landscape?”

What is a cyber risk management policy?
In this policy, you will identify security incidents that could occur based on security incidents that have already happened.  Then you will identify how to prevent and remediate those incidents and what the timeline to do so would look like.

Here are four important considerations when writing your cyber risk management policy:

Identify and classify vulnerabilities

Do a scan of your platform (including production systems, public Web servers, and applications) to identify vulnerabilities.  If you use a vulnerability scanner, the tool will likely score risks based on the CVSS system. CVSS scores range from 0-10 (with 10 being the most severe) and are calculated using metric groups that take several security-related measurements into account.  The CVSS system will also assign each discovered risk a severity rating. Once you have identified the technical, physical and administrative risks to your organization. You need to classify the likelihood of each incident occurring, as well as an appropriate severity if it occurred.  Both the likelihood and severity rating can be categorized as low, moderate, high or critical. For example, if a hacker got a hold of customer credit card data, that would be considered a high risk and high impact event.

Create a SLA

Use your findings from the vulnerability assessment to create a SLA (service level agreement) for time to remediate vulnerabilities. Industry standards for remediation are:

○    Critical: before release or within 7 days of discovery

○    High: before release or within 30 days of discovery

○    Moderate: before release or within 90 days of discovery

○    Low: before release or within 180 days of discovery

Note that before you can entirely create and implement the SLA, you should have gone through the process of data classification.  With data classification, you assign labels to information, and those labels give guidance as to how that information should be accessed, used, transmitted, distributed, stored, backed up, retained and destroyed.  Doing so will help you better understand the scope and complexity of data involved. It will also help you be more realistic and transparent with your customers about what vulnerabilities your company can address in a given timeframe.

Stay on top of changes

As your company grows and adopts new technologies, your threat surface will evolve too.  To stay on top of these changes, perform a vulnerability assessment every six months or when there is a significant change in the system.  This assessment can be done using internal teams, but many organizations also enlist the help of outside consultants. For example, it’s common for organizations to outsource quarterly vulnerability scanning on their internal and external systems.  That way they can schedule the scans well in advance, and they become one less thing to remember and manage. Remember to update your SLAs at least once a year too.

Get a penetration test

Have a penetration test performed by a third party at least once a year.  A penetration test is an exercise where a consultant simulates threats that an actual attacker poses to your organization.  For instance, the consultant may send phishing emails to your users in attempts to get valid usernames and passwords to systems on your network.  Or you might opt to have the consultant attempt to get past your physical security controls and gain access to your office spaces. It is important to note that vulnerability scan and penetration tests are often used interchangeably, but they are different.  A vulnerability assessment looks at what an attacker could do with information about your organization’s vulnerabilities, while a penetration test demonstrates to what extent those risks can potentially be exploited by hackers. To use a physical security analogy, a vulnerability assessment is an equivalent of checking for locked doors and windows without entering your house; a penetration test gives the tester free reign to kick in doors and throw bricks through the windows.

The cyber risk management policy is important - not only for your business, but for your customers too.  Your customers have an expectation that you will protect their PII and take proactive security measures to manage and remediate vulnerabilities.  This policy demonstrates that you are serious about doing so.

 

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2022 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.