Our road to cybersecurity certification II

Andrés Méndez Barco  |  06 November 2021

security-plan-1

 

In my previous post, we talked about the decision to obtain a cybersecurity certification and what were our initial steps.

Today, we’ll continue talking about those initial steps. We hope that sharing this information will be helpful for those who are thinking about getting a certification.

Top management commitment

This sounds so obvious that I forgot to mention it in my previous post, but it is essential. And within your company, this certification idea may come from a department and will need buy-in from top management.

Being certified will require time, money, and changing processes in the company, affecting many different departments. If you don’t have top management commitment and support, this won’t work.

Here at Event Store, the top management is our CEO, and he is the strongest supporter of certification.

Planning!

Benjamin Franklin said, “If you fail to plan, you are planning to fail!”. And I can not agree more.

There are many kinds of people, and I’m one of those who likes to have a plan. Maybe I watched too much The A-Team when I was a kid, and “I love it when a plan comes together” stuck in my brain, but the truth is that once you know where you want to reach if you don’t plan how to get there, how are you going to arrive at your destination?

Chaos is not my friend, but a Gantt chart is.

From the books mentioned in my previous post, you can get an idea of all the tasks you should accomplish. The list of tasks can differ from one company to another, but if you are not certified yet, then we can consider that all the items on that list need to be done. Therefore, we want to help and will share with you what we did.

As we are techies, we decided that we needed a tool that would allow us to share among all members what activities to accomplish, how long they would take, and keep track of the status.

The truth is there are different needs across the teams in the company, so various tools are used. We are not going to expect that the Sales and Marketing Team will be using GitHub to keep track of the sales funnel.

We already use Trello in our company. Although I have used Trello extensively, it has its limitations. It’s true that by paying for the Power-Ups you get the job done, but it didn’t fully satisfy our needs.

On the other hand, there is Jira. They both belong to Atlassian, but Jira is by far a more professional tool than Trello. However, Jira seemed too much for our needs.

So finally we chose an old friend of mine: Teamwork.

Teamwork has all the features we were looking for, such as tasks with a table view, Gantt chart, tasks’ effort, multi-level subtasks, etc. For me, having a Gantt chart was a must-have, and trust me, when you want such a feature you have to pay for it, Teamwork is worth the money.

Anyway, you can use whatever tool you want to, as long as it satisfies your needs.

Once you have the tool, let’s look into the tasks that you should plan.

Let me mention a few things about our plan:

  • This plan is mainly based on our needs for ISO 27001.
  • Although we provide a prioritized list of activities, some of them may be performed in parallel, or you can’t complete one and will have to jump into the next one until the block is gone. That’s why a project management tool is so helpful, so you don’t get lost on where you are.
  • I know that some of these activities aren’t in the same order as the ISO 27001, but it’s understandable as there are interdependencies between. It’s the chicken and egg problem that we faced, and here we try to help you with our experience.
  • We just enumerate here what should be accomplished and its order, but we haven't profoundly described what each task requires.

#1 Define the scope of the certification

You must know what you want to certify. For us, it was our Event Store Cloud service.

#2 Create an inventory

If you don’t have it already, this is something you will need. Depending on the scope of your certification, you will need more or fewer inventories for keeping track of different things.

As we like to share what we did with examples, let me tell you some sample inventories that we have:

  • Inventory of IT Assets: Here we keep track of all the laptops, monitors, etc., who has it assigned, where is it, which classified data it can access, etc.
  • Inventory of Tools and Access: Here we keep track of all the tools that we use (Teamwork, Hubspot, Google G Suite, etc.), who is the System Owner, who has access to each tool according to his job position, who was granted access as an exception and when that access should be removed, etc.
  • Inventory of Information Assets: Here we keep track of all the information storage locations that we have (from a database to a spreadsheet), who is the Information Asset Owner, which information is being stored (including personal data), what’s its classification, retention, and backup, etc.
  • Inventory of Systems: Here we keep track of all the servers that we have, who is the System Owner, where it’s located (cloud provider and country), etc.
  • Inventory of Websites: Here we keep track of all the websites that we have, who is the Asset Owner, where it is hosted, which technologies it uses, etc.

#3 Perform a risk assessment

Before performing the risk assessment, you should write a policy for it, but this is not essential at this stage. What you will definitely need is a methodology, so it is repeatable.

For the first time you perform your risk assessment, any methodology will suffice because during the first year you should focus on what is most important for your company. There are many threats and you will soon identify where your weaknesses are: hacking attempts (requiring an IDS and WAF), DoS (requiring a CDN), power outages (requiring a UPS), etc.

Once the risk assessment has illuminated your weaknesses, you will have to create a risk treatment plan. You will have to address and reduce the risks by implementing security controls from ISO 27002.

#4 Produce the statement of applicability

Now that you know which security controls you need to implement, you can document the reasoning behind your decision. It could be to reduce risk or because it is a strong requirement from the ISO (such as for controls A.5.1.1, A.5.1.2, or A.6.1.1).

To document the Statement of Applicability (SoA) you will need a table with the following columns:
  • All the ISO 27002 security controls
  • Applicability: Yes or no
  • The status of application: implemented, in process, or not yet
  • Reasoning: Why it applies or not
As you can imagine, you can have this in a spreadsheet or a document, whatever you prefer. From my point of view, a spreadsheet brings you more features (as later you can filter and see only those N/A controls), but don't forget to add a tab where you later write down all the document classification and control needs.

#5 Produce the information security policy and the information security objectives

The information security policy should be a one-pager that condenses the organization's posture on information security, which you are usually going to publish on your website.

Now that you know which are the tasks that you have to accomplish this first year, you can define your information security objectives, which should be aligned with those tasks and should allow you to measure if you achieved them or not. Doing so will reduce your effort.

#6 Produce your policies

Once that you know which security controls you are applying, it’s time to write the policies. The policies that we have created at Event Store are:

  • Acceptable Use Policy
  • Access Control Policy
  • Asset Management Policy
  • Backup and Restoration Policy
  • Business Continuity and Disaster Recovery Policy
  • Change Management Policy
  • Clean Desk and Clear Screen Policy
  • Data Protection Policy
  • Incident Management Policy
  • Information Classification Policy
  • Information Security Policy
  • Internal Audit Policy
  • Laptop and Mobile Device Security Policy
  • Network Security Policy
  • Personnel Security Policy
  • Remote Access Policy
  • Risk Assessment Policy
  • Sever Security Policy
  • Software Development Policy
  • Technology Equipment Handling and Disposal Policy
  • Vendor Management Policy
  • Vulnerability Assessment and Penetration Testing Policy

Each company can name policies differently or condense more requirements under the same policy, so don’t worry if your policies don’t have the same name as ours.

Writing policies is time-consuming. Therefore, we consider that buying them is money wisely invested, and if you have the opportunity, we recommend you buy them. Many companies offer them, we’ve had a good experience with Advisera. This is not a purchase recommendation, just our experience that we hope reduces your effort.

Buying the policies does not mean that you are done. You will have to read them, fill the gaps and adjust them to your needs. This will mean that you will often have to write new sections or change existing ones, but it will always be faster adjusting what is already there than creating them from scratch.

We recommend that you read the ISO 27002 controls and match their requirements to your policies during this step. This will allow you later, during an audit, to find how you are complying with an ISO requirement, and also remind why that sentence is there in the policy (in case someone is tempted to remove it).

How do we match them? Easy, in each policy, we add a “tag” in the text. For example [#27001.A.7.2.2.d]. That means:

  • [# ]: Start and end of the tag.
  • 27001: This is a requirement from the ISO 27001. Later you can change that into "GDPR", "SOC2", or whatever other reason you have for adding that to your policy.
  • A: This is a requirement from the ISO 27001 Appendix (the same as the ISO 27002).
  • 7.2.2.d: This is the security control and the specific paragraph that is being satisfied with this sentence in the policy.

For example, if we look into our “Acceptable Use Policy” we will find all these tags: [#27001.A.8.1.3], [#27001.A.7.2.2.d], [#27001.A.16.1.2], [#27001.A.7.2.1.g], [#27001.A.18.1.4], [#27001.A.9.3.1], [#27001.A.9.3.1.e], [#27001.A.9.3.1.a], [#27001.A.9.2.4.a], [#27001.A.9.3.1.g], [#27001.A.9.3.1.b], [#27001.A.9.3.1.c], [#27001.A.11.2.8.b], [#27001.A.18.1.4], [#27001.A.7.3.1], [#27001.A.12.2.1.i].

Although the CISO can work on the policies initially, later there will be another person responsible for each one of them, and they will have to be approved later. Therefore we recommend you to work on them with a tool that allows you to keep track of changes, comments, etc. A good tool for this can be Google Docs or Microsoft Word (within Office 365).

#7 Write your procedures

There are specific procedures that will depend on the CISO, and should be written by the CISO, but most of the procedures will depend on other departments. Because of that, each department should write their procedures (following the requirements from the policies).

Again, those procedures should be linked to the policies, so you know why those procedures are in place later.

I hope you found this information useful. In the next blog post, we will continue talking about the initial steps taken towards certification.


Photo of Andrés Méndez Barco

Andrés Méndez Barco is Event Store's Chief Information Security Officer (CISO). He has been working in the cybersecurity arena for over 20 years in different positions and countries. CISA, CISM, CRISC, CISSP, CEH, GWAPT, GDSA.