The tone is set, and you now know that drafting a ISSP is not an end in itself, but a response to a real need to bring your organization into compliance and make it more secure.
How do you write a coherent and applicable ISSP ?
The drafting of a security policy must involve all the players in your company. It must define the perimeters and responsibilities of each party, the resources and financial means you need, and the objectives and milestones to be met to achieve them.
Its aim is to " to protect the organization's physical assets (servers, computers, networks, telephony, software applications, etc.) as well as its intangible and intellectual assets and personal data. "as the ANSSI reminds us in its guide to drawing up a ISSP.
But while this definition may seem generic, in reality,ISSP cannot be drafted without knowledge of the business and the company's compliance obligations. A policy applied without taking into account its impact on employee productivity would simply be circumvented over time. It is therefore important to constrain company operations through safety rules and best practices, but within a framework of prior consultation with teams.
If a behavior is risky for the company but mandatory in the production process, what solution can you provide? This is a very common situation in the healthcare sector, where equipment sometimes runs on operating systems that are no longer supported, and are therefore by definition vulnerable. As they are used within ten-year plans, it is simply not possible to change them. The same is true of the energy and industrial sectors. So, before drafting your company's security vision, ask yourself the question: "Is it really applicable?"
ISSP must not be dogmatic and self-centered. It must be coherent and applicable to the company's constraints.
To achieve this, it must integrate :
- Best practices in information system security.
- Safety measures, protocols and rules already in place, to be applied and complied with, taking into account the company's intrinsic operations.
- Vulnerabilities and security weaknesses of assets at risk that cannot be modified, based on the results of an information system risk analysis.
- Organizing the implementation of this internal policy.
- The method for follow-up and future modifications.
6 common mistakes to avoid when writing your ISSP.
To ensure that your security policy is both useful and applicable, we've drawn up a list of common mistakes to avoid.
1. Consider that ISSP involves only the CISO
ISSP must reflect the company's information systems security (ISS) strategy, not the vision of the CISO. For an internal policy to be applied throughout the company, it must come from top management. As Baptiste David points out: " Senior management must make a commitment that the rules set out in ISSP will apply throughout the company. In this way, information system security rules become an order from the top, and no longer a request from the CIO or CISO. "And that changes everything!
2. Only for cybersecurity insiders
Don't write your ISSP in technical jargon. On the contrary! This document must be accessible and intelligible, so that all those involved in the company can understand its ins and outs. The clearer your message, the more likely you are to get everyone on board to protect the organization collectively.
3. Forgetting to define processes
Who validates the compliance of ISSP ? What happens in the event of non-compliance? What can be imposed within departments? These are all questions that require you to define internal processes to ensure proper application.
4. Do not develop your ISSP
As your information system evolves, so does your security policy. Does your ISSP take account of new cyber threats, such as attacks by supply chain ? Is multi-factor authentication (MFA) mandatory for logging on to your company's applications? What security measures are in place for connected objects (IoT)? Have you taken into account the phenomenon of Shadow IT and the use of third-party services not authorized by the IT department? Do you authorize the use of personal equipment (cell phone, tablet, personal computer) to access the company's IS? Your ISSP must therefore be consistent with the company's actual usage. Update it frequently and at least at least once a year, to avoid being overtaken by new uses.
5. Failing to appoint enforcement officers ISSP
" Responsible but not guilty is how Baptiste David sums up the role of the CISO. Indeed, the CISO has a commitment of means, but not of results. He or she cannot be held responsible for the application of the security rules described in ISSP within the company. His role is to identify non-conformities and provide information so that corrective action can be taken. Each department or business unit to take responsibility for the proper application of ISSP.
6. Do not measure the application of the ISSP
As a CISO, you need to measure the gap between your current level of security and the goal you want to achieve. But what are your monitoring indicators? Do you have the right reporting tool? How and on what basis do you make the necessary trade-offs? It is in measuring these performances that the application of your ISSP will be truly effective for the security of your organization! Let's talk about it.