"The scariest moment is always just before you start. After that, things can only get better," horror author Stephen King once said.
You may be at the edge of starting that scary undertaking if you have been tapped to lead writing or revising the cybersecurity policies for your organization.
This could seem like a daunting task, depending on how much attention has been given to the process by your company.
Executive leadership could have made this request due to increasing cyber threats. Many of SecureWorld's Advisory Council members have said the rise in ransomware has increased business interest in cybersecurity.
Or perhaps you saw a lack of documentation for training new staff and convinced team leadership to let you have a crack at writing the policies.
Now, what is the next step?
Cybersecurity frameworks as a basis for security policy
Marcia Mangold, Information Security Manager for GRC at Emergent Holdings and a SecureWorld Advisory Council member, may have just the hack for you.
By using cybersecurity frameworks to write your policies, you can take a lot of the work out of writing workplace procedures.
"If you are someone who's doing this [creating policies] manually, and you don't have a team to help you, then right here is a great place to start," Mangold says.
These frameworks, such as the NICE Framework provided by the U.S. National Institute of Standards and Technology (NIST), already have drafted task, role, and skill outlines with attention to legal and compliance matters. These frameworks are also continuously being updated, so it can make keeping up with major changes a touch easier if you have a smaller department or your bandwidth has reached its limits.
"A framework provides the rules and guidance. Also, they give you that roadmap that you need and also credibility with the stakeholders and your supporters," Mangold says.
Mangold will be speaking at the SecureWorld Rockies virtual conference on November 17th. Registration for this event is open now.
Though Mangold says any framework can be used, for the purposes of her presentation she is using HITRUST's Cybersecurity Framework, which can be downloaded for free in advance if you would like to follow along with her tutorial.
You might be wondering now: How long should a policy be? When should I update these policies? What should I be writing into the procedures?
Mangold will cover all these questions and more during her presentation.