Tell somebody that you’re planning to make a plan, and you’ll get some snide looks. But tell somebody that you have a good plan in place, and it instills a sense of preparation and confidence.

It shouldn’t. Turning a good plan into meaningful action requires keeping your stated approach current, tested, implemented and improved. As we delve into NIST’s category called “information protection processes and procedures,” here are 10 introspective rules to help guide your organization:

  • Know Your True Self.We change over time, but not always for the better. Configuration Management is the way organizations establish their system’s baseline, and precisely control when and how it is changed.
  • Witness Life’s Journey. Security should be built into a System Development Life Cycle that covers five cradle-to-grave phases: initiation, development/acquisition, implementation/assessment, operations/maintenance, and disposal. The roles of the CISO and CIO extend well beyond what is plugged in at any given moment.
  • Face Your Weaknesses.We all have our breaking points. The key for enterprise risk management purposes is to have a mature Patch and Vulnerability Management Program that includes scanning and penetration testing, trend and impact analysis, and remediation.
  • Preserve Your Memories.There are things we would all like to remember, but no longer can. Don’t let that happen to your corporate knowledge, especially with ransomware on the rise. Review whether your most critical data (including audit logs) are, or should be, encrypted, secured off-line and placed on write-once media.
  • Create Healthy Boundaries.Technical and administrative controls account for two-thirds of a good strategy; the last part of the triad requires that you consider the physical operating environment. For more, check out the July 2015 Cyber Tactics column, “Securing the Physical Side of Cybersecurity.”
  • Improve Destructive Relationships.A data destruction policy should include what is destroyed, when and how, as well as who needs to approve the destruction of certain information (consider dual authentication in some cases, including deleting back-ups).
  • Talk It Out.Whether it’s to your Board, your risk manager or your industry information sharing partners, figure out what’s appropriate to communicate about the effectiveness of your security and help build and learn from that knowledge base.
  • Get Personal.Ensure that human resources practices help mitigate your cyber risk, starting from personnel screening and ending with de-provisioning accounts.
  • Get Over It.Four of the most important plans to have in place, kept current, and tested are Incident Response, Incident Recovery, Business Continuity, and Disaster Recovery.
  • Live and Learn.  The goal is to get better all the time.

If your procedures aren’t in place yet, now’s the time to get started. For additional information on these topics, check out the most recent versions of NIST’s Special Publication 800-53 and the Center for Internet Security’s Controls for Effective Cyber Defense. Both documents are free, and planning to read them isn’t enough.

 

@StevenChabinsky