The Ultimate Cybersecurity eGuide 4 Easy Steps to Securing Your Organization

“Trust is the cornerstone of every successful enterprise. In a digital era, confidence among consumers is attained by ensuring their personal information is kept safe and private. Adopting strategic and responsible cybersecurity practices to protect this sensitive data is paramount to establishing and maintaining trust between company and consumer.”

Donald Kratt, Chief Technology Officer

threats posed within the digital ecosystem. And while breaches affecting mega-retailers may dominate the news cycle, most of these unprepared organizations are small (SMB) to medium sized businesses, who lack the resources of their Fortune 500 counterparts.

Curbing the onslaught of data intrusions may be out of your reach, but equipping your organization with safeguards and preparations that reduce intrusion susceptibility is well within your grasp - no matter your size!

In The Ultimate Cybersecurity eGuide, you’ll discover:• Cybersecurity’spivotalroletoyourorganization• Yourorganization’sanddata’svulnerability• Howtopreventadatabreach• Howtoformdigitalpolicies,proceduresandtrainings• Methodsofrespondingandrecoveringfromadatabreach

The four phases in this eGuide will provide you with simple steps to developing a cybersecurity strategy capable of defending your organization and data.

IntroductionWorld War III is in full swing. The underlying threat? Not a foreign military’s volatile missile defense system, nor are accusations of an election interference to blame. In fact, this speculative WWIII involves no physical threat whatsoever. The battle of the century has been waged on the platform that powers nearly every aspect of today’s market: Cyberspace.

Fielding suspicious emails, comparing anti-virus software, navigating WiFi issues, juggling multiple passwords… these and similar digital hassles often leave tossing your laptop out thewindowalltootemptingofanidea.Yet,theriseofdigitalintrusionsandtheirlevelofsophistication make these and other digital securities definitive of an organization’s vitality in today’s market.

Initsmostrecentreport,theDepartmentofHomelandSecurityidentifiedanalarmingtrend of widespread cyber intrusion attempts, affecting both the public and private sector. Since the report’s publication, intrusions have only increased in sophistication, scope and impact - leaving virtually no organization immune to cyberthreats.

Despitethegrowingimpactcybersecurityhasonanorganization’svitality,theHiscoxCyberReadiness Report suggests that 53% of today’s market is ill-prepared for

Phase 1 Phase 2 Phase 3 Phase 4

AWARENESS PREVENTION RESPOND RECOVER

Contents

Phase 1: Awareness Understanding cyberthreats and vulnerability

Phase 2: PreventionDeterring cyber intrusions and data breaches

Phase 3: ResponseManaging active intrusions

Phase 4: RecoveryIdentifying and addressing susceptibilities

Glossary

Appendix:DevelopPoliciesandProcedures

Appendix:DevelopCybersecurityTraining

Phase 1: AwarenessUnderstanding cyberthreats and vulnerability

Today’scyberthreatlandscapeisfilledwithagrowingnumberofexploitationmethods,includingransomware, advanced persistent threats, and insider threats. While there’s no need to be the Webster’s of cyberthreats, every modern business stakeholder should understand the most prominent threats to his or her organization.

Ergo, your first task in developing a cybersecurity strategy is to become familiar with prevalent threatsinthedigitalecosystem.Familiaritywithpopularexploits,suchascompromisedWiFinetworks or keylogging, is imperative as susceptibility to these threats permeate nearly every industry.

However,yourresearchshouldn’tstopwithuniversalthreats…

It’s important to investigate the most prevalent threats within your market. Using trusted resources coupled with professional groups, forums, and trade publications will often help narrow your research to specific industry criteria.

After familiarizing yourself with the cyberthreat landscape, you’ll want to determine how vulnerable your organization is to a targeted cyberattack.

We’ve abridged a process recommended by the National Institute of Standards and Technology to evaluate your organization’s cyberthreat vulnerability. This three-step process assesses vulnerability based on variables that define the data your organization transmits or processes.

To begin the process of assessing your organization’s risk, make a list with every type of data (information) your organization processes or collects (e.g. email addresses, phone numbers, account numbers, lines of invoice, etc.). Consider collaborating with members of management or other knowledgeable employees so that your data inventory is accurate and all-inclusive.

Make sure to include all internal—information associated with your employees or the organization itself—and external—information associated with those outside the organization (clients, partners, other stakeholders, etc.)—data and label it respectively.

Before ending step one, create a few categories (typically no more than 6) that can logically describepiecesofyourdatathataresimilar.Howyoudeterminetogroupyourdatawilldependon your industry and mode of business.

STEP 1: Identify Data your Organization Uses and Stores

If your organization hasn’t previously defined or grouped similar points of data, click here for a quick and easy process recommended by our CTO.

Annually reviewing resources like the Dept. of Homeland Security’s cybersecurity division or NIST keeps you current with an evolving cyber landscape and newly emerging threats.

Identifying Your Organization’s Threat Vulnerability

Thenextstepistodetermineeachdata’svalue.Adata’svaluereflectshowusefulitscontentsare to cybercriminals coupled with how severely it could impact your organization or customers.

Using an ordinal scale is typically more efficient than attempting to estimate a monetary value. Consider using a 0-3 scale: 0: no value | 1: low value | 2: moderate value | 3: high value.

To arrive at an accurate value, evaluate every piece of information using these key questions:

• What would take place if this information were released to the public?

• If the information were modified or miscommunicated, what further implications could occur?

• If employees or customers could not access this data, how would they be impacted?

STEP 2: Determine the Data’s Value After determining each data’s value, you need to determine the collective threat vulnerability indexofeachcategory.Todothis,simplyfindthedatawiththehighestrankingvalue(0-3)andassignthatsamenumberasthecategory’soverallthreatvulnerabilityindex.

Forexample,the“FinancialInformation”categorybelowcontainsdatathatweregivenaratingof 2: moderate and 3: high. Therefore, the Financial Information category was assigned a vulnerabilityindexof3:highbecausethat’sthehighestindexfoundamongitsdata.

Notice how averaging the values of all the data within a category is not recommended. Assigning an averaged value to a category could potentially leave highly (3) vulnerable data inacategorythatonlyaveragestoamoderate(2)orlow(1)threatvulnerabilityindex.Putsimply, averaging can leave highly vulnerable data with insufficient protection.

The finished result provides an estimation of the data that cyber criminals are interested in.

STEP 3: Determine the Data’s Threat Vulnerability

If working in a larger organization or in one that processes an abundance of data, consider consulting a cybersecurity threat analyst.

Phase 2: PreventionDeterring cyber intrusions and data breaches

Employing safeguards that help prevent, deter and identify data breaches is a crucial pillar of any cyber strategy. The prevention phase of cybersecurity involves protecting your organization’s data through preventative safeguards and measures.

Everyorganization’ssecurityinfrastructurewillvarytosomeextent,yetsomeprovisionsareuniversal and should be implemented regardless of industry or market:

Cybersecurity Prevention ChecklistEmployee Background ChecksProspective employees should be subject to an extensive background check. While federal and state laws vary on screening requirements, nationwide criminal and sexual offender status should be checked.

Digital Policies & ProceduresPolicies & procedures define the crucial behaviors and activities employees must agree to before accessing digital devices or machines. Click here to learn what these policies should address and for tips on writing them.

Employee Cybersecurity TrainingEmployees are your organization’s cybersecurity gatekeepers. Providing quality cybersecurity training to all employees is pivotal and should be incorporated within your organization’s onboarding processes. Click here to learn how easy it is to develop your own employee cybersecurity course(s).

Individual User AccountsA unique username and password should accompany every employee’s or contractor’s user account. Many security protocols rely on controlled access to devices and machines via individual credentials.

Asset ControlUtilizing an individual user account for every employee enables administrators to use asset controls. A common use of these controls involves leveraging “permissions” to manage the activities or authorities a user account has access to. Grant permission or authorities to an employee or contractor based on the needs of his or her occupation—nothing more. Always document when permissions or other controls are assigned or revoked.

Controlled Access Allowing visitors, such as temporary personnel or externally contracted employees, unsupervised access to your organization’s machines and devices creates unnecessary vulnerability. Always log visitors and ensure they are escorted by a designated employee at all times.

Wireless Access Point and Network SecurityYour network and Wi-Fi hardware should always be protected and secured. Adjust settings on Wi-Fi routers and network access points for optimal security. At a minimum, make sure the network is password protected (WPA-2), change the default network name (SSID), enable encryption, and activate included firewalls.

Browser and Email FiltersEmail filters can be utilized to reroute spam, disable automatic HTML downloads in messages from unrecognized senders, and even encrypt messages. Use web filters to limit internet cookie use, password storing, and other browsing risks.

Data EncryptionMany operating systems (OS) for commonly used digital machines (i.e. laptops, mobile devices, etc.) include full-stack encryption (FTE) capabilities. However, installing a third-party encryption application may be necessary if your OS does not support encryption innately.

Properly Dispose of Old Equipment When disposing stationary or mobile machines, the hard drive must be completely erased. Many operating systems embed this option within its innate settings. After erased, the hard drive should be removed from the machine and physically destroyed. Consider consulting a trusted company that provides secure hard drive destruction and disposal services.

Applications to Install 1. Optimum operating systems2. Hardware and software firewalls3. Intrusion Detection/Prevention System (IDPS)4. Remote wiping application

Applications to Avoid 1. Flagged by a firewall2. Attached to an unexpected or unfamiliar email3. From URLs without HTTPS (the “S” indicates a “Secure” connection) 4. Unnecessary applications or software

In-House v. Outsourcing Security Efforts

Before initiating or installing these safeguards and measures, you’ll need to decide if your organization will employ them directly or if a third-party will be contracted.

Everyorganizationisdifferent.Resultingly,thereisno“one-size-fits-all”solutionwhenitcomesto outsourcing security efforts. Collaborate with your team to make the outsourcing decisions best aligned with the needs of your company.

Interested in facilitating a productive conversation? Make sure these four factors are on the agenda:

Cost.Howmuchwilloutsourcingsome—orall—ofthesafeguardormeasurecost?Whenoutsourcing, overhead costs are often eliminated—employee wages, maintenance, office space, machine and systems upgrades, etc. Do these costs outweigh the cost of employing a Managed Security Service Provider (MSSP) or other third-party provider?

Time. Building and maintaining prevention measures and safeguards intyernally can take time and commitment. While thorough research should be conducted prior to selecting a third-party security vendor, outsourcing security efforts eliminates time spent internally managing them. As you collaborate with your team, ask...

Vulnerability (risk).Yourdata’svulnerability to cyberattacks is a big factor when determining whether to outsource a preventative measure or safeguard. If the data a safeguard or measure aims to protect is highly vulnerable, more resources may need to be engaged to adequately protect it.

Security. When you hand the reigns to a third-party vendor, you’re giving them access to your organizational and customer data. Not only should the data’s vulnerability be kept in mind, but also, too, the track record and security strength among third-party vendors being considered.Cybersecurityvendorsaren’texemptfrombreaches...ifavendoryouemployisbreached, your data could be compromised.

It’s important to remember that outsourcing security efforts doesn’t absolve your organization from ultimate responsibility. As a result, you should place careful and thoughtful scrutiny to the third-party cybersecurity vendor(s) trusted with your data.

Before considering a third-party security firm as a contender, make sure they can satisfactorily answer these questions.

“ “... there is no ‘one-size-fits-all’ solution when

it comes to outsourcing security...

Phase 3: ResponseManaging active intrusions

A quality, well-equipped cybersecurity strategy relies on preventative measures and safeguards todeterunwantedcyberintrusions.However,eventhemostsophisticatedcybersecuritypowerhouses aren’t infallible. For this reason, having a predetermined and defined plan of action is a hallmark of cyber success!

Thisplanofaction,commonlyreferredtoas“IncidentResponse(IR),”istheprocessthatshouldbe followed should a data breach occur at your organization. An IR has two contributing factors: anIRexecutionteamandIRprotocol.

Identifying Your Incident Response Team

An IR team is a centralized team responsible for activating your incident protocol if your network is ever compromised.

YourIRteamshouldinvolvethreeroles:

Incident Response Manager

Oversees the IR team and the execution of its IR protocol. Coordinates with others to interpret

the entire scope of a data intrusion.

Threat Researchers

Collects data on threats of cyber espionage, attacks and breaches. Researchers remain cognizant of

threats within the entire cyber ecosystem.

Security Analysts

Triage and Forensic security analysts make screen in and screen out decisions (Triage), and collect details

associated with a data breach should one occur (Forensic).

Depending on the size and needs of your organization, some—or all—of your threat researchers andsecurityanalystsmaybeoutsourced.However,wedonotrecommendoutsourcingtheroleof incident response manager. This role’s effectiveness leans on the manager’s familiarity with your organization and his or her immediate onsite support during an intrusion.

Developing Your Incident Response Protocol

YourprotocolshouldguideyourIRteamthroughproceduresthatincorporatemethodicalandspecific action. Consider incorporating these fundamentals in your IR protocol:

Define the circumstances that warrant an initiation of your IR protocol. Many automated safeguardswillflaganomaliesorfalsepositivesasanactiveintrusion.InitiatinganIReachtimeafalsepositiveorirregularityisflaggedcanbecostlyandwilldesensitizeemployeestoitsrigor.YourprotocolshouldaddresshowmuchmanualanalysisisrequiredbeforeanIRcanbe initiated.

IDENTIFY

Immediately safeguard all systems to prevent further damage, and allow forensic analysis to takeplaceassoonaspossible.Iftheextractionofdataappearstobeongoing,takeallaffectedsystemsoffline.Iftheintrusionappearstohavebeenextractedcompletely,leavingsystemsonlineisadvisable(evidentiarydatacouldbelostwhentakingsystemsoffline).

SAFEGUARD

Information gathered by your researchers works in unison with data collected by your analysts to indicate which digital entities were compromised and how, specifically, a breach may have occurred. Additionally, search for abnormalities in MD5s, IP addresses, domains and other data sources. This step can be completed after the intrusion is contained.

COLLECT ExTERNAL INTELLIGENCE

Identify all logs and other data sources within your organization. Many logs are often synthesized by cloud logging or other event management tools. Other logs and data sources can include Windows events, firewalls, server and workstation operating systems, applications, outboundproxy,enduserapplications,and,securitytools(anti-virus,anti-spyware,IDS,IPS,VPN, etc.).

Begin with when the intrusion occurred and work backwards in time to find relevant data. Look for abnormalities or unusual activity such as changes/modifications, system failures, errors, statuschanges,administrativeevents,etc.Highlightallunusualactivityandabnormalitieswithinyour network traffic and the time they occurred.

Forensic tools should be used in collecting this data. Using non-forensic software on infected systems can overwrite timelines and other crucial data.

COLLECT LOGS AND DATA

Immediately after a breach is identified, it’s important to determine who needs to know about itandhowquickly.Yourresponsemanagershouldnotifyinternaldepartmentsona‘need-to-know’ basis, sooner rather than later. Senior management, human resources, organization attorneys,andmarketing/PRdepartmentsareexamplesofwhomayneedtobecontacted.

NOTIFY

If internal (or third-party) analysts are unable to identify the source or cause of the breach, consider contacting audit and risk management specialists to investigate.

Timingofexternalcommunicationsisoftenmoredelicatethanthatofinternalnotifications.Therefore, employees should refrain from discussing the breach with anyone outside the organization. Internal discussions pertinent to the breach should be conducted only as needed.

The key to successfully navigating a data breach is remaining calm and having a plan. Make sureemployeeswithdesignatedrolesonyourIRteamareawareofwhat’sexpectedduringan incident.

Additionally,it’simportantforotheremployeestoknowwhat’sexpectedofthemduringanincident and how they should respond when IR protocol is activated. It’s highly advisable to address this during initial employee cybersecurity training and to provide a printed version of your protocols to every employee.

After a breach has been contained and all the necessary information is collected, a breach analysisisnecessarytoidentifywhatledtotheintrusion.Thenextandfinalphaseofyourcybersecurity strategy defines how to identify contributing factors to a breach and modify processes accordingly.

Make certain your data is consistently backed up to an external drive or source. If your data is compromised or damaged during a breach or intrusion, you’ll need an untampered copy.

“ “

...remain calm and have a plan.

“

Phase 4: RecoveryIdentifying and addressing susceptibilities

Suffering a data breach isn’t ideal; however, using this five-step recovery process can help shed light on potential improvements to your current security infrastructure, allowing future threats to be manged more effectively.

When it’s safe to do so, return your organization to its normal operating routine as quickly as possible.Afternormalfunctioningisrestored,youcanbegintoreviewandexaminecontributingfactors that led to the intrusion.

STEP 1: Return to Normal

Yourorganization’sleadershipshouldmeetwithstakeholdersmostfamiliarwithcybersecurityefforts and data throughout the recovery process. To identify the determinants of an intrusion and its sequence of events, consider coordinating with key resources:

• Cybersecurity team • Incident Response (IR) team • IT team • Others directly involved with cybersecurity efforts

STEP 2: Coordinate

Disaggregateandanalyzeexternalintelligence,logsandotherrelevantdatacollectedduringIRto determine the sequence of events leading up to the breach. Highlightabnormalitiesandredflagstodetermine:

• Where in the network the intrusion occurred. • When the breach occurred.• What data was affected or potentially affected.• How the breach occurred. (Were policies bypassed or ignored? Did a firewall fail to

prevent a targeted attack?)• Who’s responsible, if anyone. (Did it occur via an employee’s user account? Is

negligence involved? Could an employee have reasonably prevented the breach?)

STEP 3: Investigate

Use the information and facts discovered during the investigation to steer a discussion involving policy revisions and improvements. Some sample topics may include:

• Should additional encryption options be employed?• What permissions do employees have access to?• Howeffectivearecurrentthird-partysecurityvendors?• Can firewalls handle current data bandwidths?• Is data backed up often enough and is it secured?• Should your organization consider investing in cyber insurance?• Are log collection applications providing accurate and valuable information?

STEP 4: Revise and Improve

“What can be modified or implemented to prevent

contributing factors from occurring in the future?

Remember to always communicate any policy or procedure changes with employees and update all copies of your cyber policies as needed.

Depending on the identified determinants of a breach, it may be helpful or necessary to involve someoftheseinternaldepartmentsorexternalservices:

Human ResourcesIf employee negligence was among contributing factors to a data breach, discuss the situation withyourHRdepartment.Infractions,termination,probation,etc.canbeco-navigatedwithyourHRteam.

STEP 5: Involve Additional Parties When Necessary

General Counsel/Legal AidWorkingwithanattorneytosomeextentafterabreachisadvisable.Statelawsdifferonrequireddisclosuresafterexperiencingadatabreach—anattorneycanhelpdecipherifandwhen a public statement is necessary. Additionally, counsel will manage any legal recourse against your organization.

Audit and Risk Management SpecialistsThese specialists analyze security infrastructures and recommend modifications or improvements to reduce risk and vulnerability. They’re particularly useful when the source of a breach is unclear or if you’re uncertain of what modifications to consider.

Management Conduct a briefing with all levels of management regarding the incident and its implications on both an organizational and departmental level. Discuss any policy changes and how managers or supervisors should handle these changes with their subordinates.

Public RelationsIfyourorganizationhasaninternalPRteam,discusshowexternalcommunicationswillbedealt with. If you don’t have a team or someone to handle public affairs, or if the magnitude is beyondtheirscope,considerhiringanexternalcrisisPRteam.

Organizations of all shapes and sizes are meeting the demands of today’s market by digitally transforming formerly manual processes.

Welcomingautomationintotoday’sworkplaceheightensbusinessflexibilityandagility,whileoftenyieldingabettercustomerexperience.

Yet,thedrasticuptickofcyberincidentsplacescybersecurityattheforefrontofmodernbusinessfunctioning.Adheringtoasmartcyberstrategyequipsbusiness leaders with the knowledge, tools and resources necessary to protect digital assets in an increasingly virtualized market.

Because digitization now propels nearly every modern business transaction, many organizations invest in solutions like electronic signature software to keep pacewithavirtualizedmarketwhilesavingtimeandextraneouscost.

At AssureSign, we strive to offer the innovative eSign software that can simplify business transactions without sacrificing the security needed to keep data safe. As an industry leader, we’re committed to helping our customers, partners and other organizations engender the same unparalleled security that protects our customer data 24/7.

closing thoughts

“ “Information sharing is essential to the protection of critical

infrastructure and to furthering cybersecurity for the nation.

- Department of Homeland Security

AssureSign relies on this four-phased security strategy to keep your and your customers’ data safe and sound. Download your copy of our “eSignature Security Relay Race” Whitepaper to learn how AssureSign leaps over cyber hurdles and leaves intruders in the dust by keeping your data secured at rest and in motion.

Download My eSignature Security Whitepaper

GlossaryCyberSecurity Terms and Definitions

AdminstratorsThe primary authority of a digital entity, such as a device or network, with ultimate privileges to create and amend the entity’s parameters.

CredentialsLogin information, usually consisting of a user ID and password, that grants access to a managed system. CyberspaceThedigitaldomaininitsentiretywheredataisstored,modifiedorexchangedbetweencomputers, networks, applications, devices, and other electronic assets.

CybersecurityThe effort to defend against cybercriminal or otherwise unauthorized activity through a body of technology systems, processes and practices.

CyberthreatsThe potentiality for malicious attempts to damage, breach, or otherwise compromise a computer system or network.

Data Breaches(Oftenusedinterchangeablywith“Intrusion”)Asecurityincidentinwhichconfidential,sensitive, or otherwise protected data is surreptitiously viewed, copied, transmitted or compromised.

Exploits Entities attempting to compromise or take advantage of a computer system or network.

False PositivesWhen a monitoring system incorrectly detects a condition, such as a data breach. A monitoring system will alert users of the condition, yet the condition did not in fact occur or actualize.

Forensic AnalysisThe process of analyzing data to highlight patterns or events that yield the source and/or cause of a cyber incident.

Hardware FirewallsHardwarefirewallsaretypicallypurchasedasstand-alonehardware,butcanalsobefound in other products, like Wi-Fi routers. These firewalls decipher the source and intended destination of data passing through your network to determine whether it should be allowed access to connected machines.

Incident Response (IR)An organization’s approach to addressing a cyberattack or breach. An IR defines the course of action during an active breach and the aftermath.

Insider ThreatsIntentional or unintentional threats to an organization’s cybersecurity originating from an employee or an employed third party.

Intrusion (Oftenusedinterchangeablywith“DataBreach”)Asecurityincidentresultinginapersonor entity gaining unauthorized access to a computer, digital device, system or network.

Intrusion Detection/Prevention System (IDPS) An Intrusion Detection/Prevention System (IDPS)—or sometimes referred to simply as an Intrusion Prevention System (IPS)—is network security technology that analyzes network trafficflow.AnIDPSdetectsandpreventsvulnerabilityexploitslikeapplicationtargetingor remote-control attempts. It’s typically utilized by organizations processing high volume or classified data and isn’t necessarily a must for all organizations.

KeyloggingA surveillance technology capable of recording the keystrokes on a computer. The practice of keystroke logging is most often used to illegally obtain login credentials, PII, and other sensitive information.

Managed Security Service Provider (MSSP) An outsourced vendor providing management of various security efforts, such as firewall monitoring, intrusion detection, vulnerability assessment, virus blocking, and virtual private network (VPN) hosting.

Optimum Operating SystemsA host of operating systems (OS) are available for your stationary and mobile machines. Whetherit’sWindows,macOS,orLinuxfordesktops/laptopsoriOS,Android,orBlackberry OS for mobile smart devices, it’s critical that these operating systems be kept up-to-date with the latest patches and updates issues by the manufacturer.

Permissions(Mayalsobereferredtoas“userrights”)Describetheprivilegesorauthorizationsthatallow a user to access data files or controls (e.g. installations, downloads, modifying preferences, etc.).

RansomwareA type of malware planted onto a computer or digital device that compromises its operation and/or data until a payment is made to the perpetrator.

Remote Wiping ApplicationThese applications allow a user to remotely wipe all the data from a device’s hard drive. Remotewipingapplicationspreventmaliciousdataextractionwhenadeviceislostorstolen.

Software FirewallsSoftware firewalls are installed directly onto a device and protect it from outside control or access attempts. A software firewall should constantly be running on your system and actively defending all machines connected to it. Most software firewalls come with settings toautomaticallyblockapplicationsitdeems“unsafe”fromrunningonyourmachine.Other protections may include print sharing controls, web filtering, safe file set up, and more.

SpywareSoftware installed on a device to covertly gather data on computing or browsing activity. Spyware can be used for cyber espionage or for innocuous reasons.

Third-Party Security VendorCybersecurity efforts employed by a supply chain, software provider, or otherwise outsourced entity, such as a Managed Security Service Provider (MSSP).

Threat Vulnerability IndexThescaledvulnerabilitydataisdeterminedtohavetocyberattacks.Theindexisoftenexpressedonanordinalscale(e.g.1:Low,2:moderate,3:high)

User AccountAn independent account with accompanying credentials that grants an individual access to a digital entity, such as a computer or network.

Appendix:

Develop Policies & ProceduresPolicies and their accompanying procedures should aim to diminish intrusion risk and vulnerability while your organization’s digital assets are in use.

Well-designed cybersecurity policies should address four things:

1. The information you care about and why it needs to be protected2. Howtheinformationwillbeprotected3. Who’s charged with enforcing the policies & procedures4. To whom do the policies & procedures apply

When determining the (1) the information you care about and why it needs to be protected, look back to your vulnerability assessment in Phase 1: Awareness. This data should comprise the information you care about. The ramifications of this data circulating outside your organization highlight why it needs to be protected.

Much of the language included in your policies & procedures will address (2) how the information will be protected. See the guidelines below on crafting policies and procedures that effectively safeguard your organization’s digital assets.

Deciding (3) who’s charged with enforcing policies & procedures will largely depend on the needs of your organization. While upper management will often adopt this role, you may wish to assign responsibilities differently based on the size and structure of your company.

(4)Towhomdothepolicies&proceduresapplyshouldbeexplicitlymentioned.Asarule,mostofthepoliciesshouldapplyhorizontallyacrosstheorganization.However,certainprocedures (and possibly policies) may vary depending on the department, occupation orcircumstances.Forexample,ifapolicyreads,“Employeesmaynotuseanyotheruseraccountotherthantheoneassigned,”anexceptionmayberequiredonbehalfofITteams when physically or remotely troubleshooting an employee’s user account or physical machine.

Develop Policies & Procedures Capable of Defending Your Organization’s Data

In the drafting phase, consider elements of the cybersecurity prevention checklist from Phase 2 (handling of passwords, user permissions, Wi-Fi use, disposing of old technology, etc.) Additional policy topics may include:

• Acceptable internet use• Acceptable device and machine use• Physical security and location of devices and machines• Contingency planning

Examplesofwellwrittendigitalpolicystatements:

• All computer users will have their own account and password.• Passwords are not to be shared with anyone.• All computer users will read and sign an access and use agreement.• Noexternaldownloadsarepermittedonorganizationcomputersordevices.

Procedures Accompany Policies

Procedures are the specific steps or actions individuals must follow to remain compliant with a given policy.

Well written procedures are clear, concise, and easily applied to applicable scenarios. They should be specific, but not overly descriptive.

Here’sanexampleofasequentialprocedurethatcouldapplyforthepolicy,“Allcomputeruserswillhavetheirownaccountandpassword”.

1. A supervisor (or other designated employee) submits a request for a new user account to be created on behalf of an employee;

2. System administrator creates new account with unique username and appropriate network identifiers;

3. System administrator assigns a temporary password to the new account;4. System administrator notifies the new user of the unique account username and

temporary password;5. New employee logs into his/her account and is prompted to immediately change

the password;6. System administrator reviews all user accounts monthly.

Appendix:

Develop Cybersecurity TrainingCybersecurity trainings should incorporate the distribution of all digital policies & procedures,alongwithotherexpectedpracticesthatkeepdatasecure.Developtrainings that facilitate discussions about your organization’s policies & procedures, their importance, and the reasoning behind them.

Because no employee should be granted access to digital equipment prior to proper training, incorporating initial cybersecurity training into the new employee onboarding process is a best practice.

The best training programs are catered to the individualized needs of an organization, yet some recommendations are optimal for any training:

• Limit training sessions to 60-90 minutes with short breaks.• Ensure the instructors practice the concepts they’re teaching.• Providereasoningbehindpolicies&proceduresandexamplesofwhatcan

happen if they’re not followed.• Utilize different techniques, such as various presentation styles, dyad or triad

activities, group discussions, workbooks, and quizzes.• Obtain an employee’s commitment to follow all policies & procedures in writing.

Because the digital realm is ever-changing, employees should be required to participate in continuing cyber education throughout the duration of their employment. Continuing education may involve online courses, in-person training, or a combination there of.

Simplifying the world’s most powerful action... one eSignature at a time.

Sales & Inquiries888-508-3781assuresign.com

© 2018 AssureSign LLC. All rights reserved

Support888-508-3781AssureSign Knowledge Base

ResourceseSignature eGuideseSignature Blog

Follow Us