In my previous post, we talked about the decision to obtain a cybersecurity certification and what were our initial steps.
Today, we’ll continue talking about those initial steps. We hope that sharing this information will be helpful for those who are thinking about getting a certification.
This sounds so obvious that I forgot to mention it in my previous post, but it is essential. And within your company, this certification idea may come from a department and will need buy-in from top management.
Being certified will require time, money, and changing processes in the company, affecting many different departments. If you don’t have top management commitment and support, this won’t work.
Here at Event Store, the top management is our CEO, and he is the strongest supporter of certification.
Benjamin Franklin said, “If you fail to plan, you are planning to fail!”. And I can not agree more.
There are many kinds of people, and I’m one of those who likes to have a plan. Maybe I watched too much The A-Team when I was a kid, and “I love it when a plan comes together” stuck in my brain, but the truth is that once you know where you want to reach if you don’t plan how to get there, how are you going to arrive at your destination?
Chaos is not my friend, but a Gantt chart is.
From the books mentioned in my previous post, you can get an idea of all the tasks you should accomplish. The list of tasks can differ from one company to another, but if you are not certified yet, then we can consider that all the items on that list need to be done. Therefore, we want to help and will share with you what we did.
As we are techies, we decided that we needed a tool that would allow us to share among all members what activities to accomplish, how long they would take, and keep track of the status.
The truth is there are different needs across the teams in the company, so various tools are used. We are not going to expect that the Sales and Marketing Team will be using GitHub to keep track of the sales funnel.
We already use Trello in our company. Although I have used Trello extensively, it has its limitations. It’s true that by paying for the Power-Ups you get the job done, but it didn’t fully satisfy our needs.
On the other hand, there is Jira. They both belong to Atlassian, but Jira is by far a more professional tool than Trello. However, Jira seemed too much for our needs.
So finally we chose an old friend of mine: Teamwork.
Teamwork has all the features we were looking for, such as tasks with a table view, Gantt chart, tasks’ effort, multi-level subtasks, etc. For me, having a Gantt chart was a must-have, and trust me, when you want such a feature you have to pay for it, Teamwork is worth the money.
Anyway, you can use whatever tool you want to, as long as it satisfies your needs.
Once you have the tool, let’s look into the tasks that you should plan.
Let me mention a few things about our plan:
You must know what you want to certify. For us, it was our Event Store Cloud service.
If you don’t have it already, this is something you will need. Depending on the scope of your certification, you will need more or fewer inventories for keeping track of different things.
As we like to share what we did with examples, let me tell you some sample inventories that we have:
Before performing the risk assessment, you should write a policy for it, but this is not essential at this stage. What you will definitely need is a methodology, so it is repeatable.
For the first time you perform your risk assessment, any methodology will suffice because during the first year you should focus on what is most important for your company. There are many threats and you will soon identify where your weaknesses are: hacking attempts (requiring an IDS and WAF), DoS (requiring a CDN), power outages (requiring a UPS), etc.
Once the risk assessment has illuminated your weaknesses, you will have to create a risk treatment plan. You will have to address and reduce the risks by implementing security controls from ISO 27002.
Now that you know which security controls you need to implement, you can document the reasoning behind your decision. It could be to reduce risk or because it is a strong requirement from the ISO (such as for controls A.5.1.1, A.5.1.2, or A.6.1.1).
The information security policy should be a one-pager that condenses the organization's posture on information security, which you are usually going to publish on your website.
Now that you know which are the tasks that you have to accomplish this first year, you can define your information security objectives, which should be aligned with those tasks and should allow you to measure if you achieved them or not. Doing so will reduce your effort.
Once that you know which security controls you are applying, it’s time to write the policies. The policies that we have created at Event Store are:
Each company can name policies differently or condense more requirements under the same policy, so don’t worry if your policies don’t have the same name as ours.
Writing policies is time-consuming. Therefore, we consider that buying them is money wisely invested, and if you have the opportunity, we recommend you buy them. Many companies offer them, we’ve had a good experience with Advisera. This is not a purchase recommendation, just our experience that we hope reduces your effort.
Buying the policies does not mean that you are done. You will have to read them, fill the gaps and adjust them to your needs. This will mean that you will often have to write new sections or change existing ones, but it will always be faster adjusting what is already there than creating them from scratch.
We recommend that you read the ISO 27002 controls and match their requirements to your policies during this step. This will allow you later, during an audit, to find how you are complying with an ISO requirement, and also remind why that sentence is there in the policy (in case someone is tempted to remove it).
How do we match them? Easy, in each policy, we add a “tag” in the text. For example [#27001.A.7.2.2.d]. That means:
For example, if we look into our “Acceptable Use Policy” we will find all these tags: [#27001.A.8.1.3], [#27001.A.7.2.2.d], [#27001.A.16.1.2], [#27001.A.7.2.1.g], [#27001.A.18.1.4], [#27001.A.9.3.1], [#27001.A.9.3.1.e], [#27001.A.9.3.1.a], [#27001.A.9.2.4.a], [#27001.A.9.3.1.g], [#27001.A.9.3.1.b], [#27001.A.9.3.1.c], [#27001.A.11.2.8.b], [#27001.A.18.1.4], [#27001.A.7.3.1], [#27001.A.12.2.1.i].
Although the CISO can work on the policies initially, later there will be another person responsible for each one of them, and they will have to be approved later. Therefore we recommend you to work on them with a tool that allows you to keep track of changes, comments, etc. A good tool for this can be Google Docs or Microsoft Word (within Office 365).
There are specific procedures that will depend on the CISO, and should be written by the CISO, but most of the procedures will depend on other departments. Because of that, each department should write their procedures (following the requirements from the policies).
Again, those procedures should be linked to the policies, so you know why those procedures are in place later.
I hope you found this information useful. In the next blog post, we will continue talking about the initial steps taken towards certification.