The reason for the slight gap on blog posting was due to the recent endeavour to get someone on the team CISSP certified. Happy to report that we've been successful and he has passed the exam but while absorbing the “mile wide and inch deep” content there were some areas he could really relate to.

One theme that stood out was the involvement, responsibility and endorsement of Senior Management to enable and support the various security initiatives, without this top-down approach any well-meaning IT or Security team can try to implement solutions (and often do) but it's a struggle as this is generally classed "IT’s idea again" (so bottom-up) that let's face it just doesn't work as well as when this is coming from the top - "coming from management so it’s in our best interest".

Many organisations we work with fall into one of two categories:

1. ISO Compliant or have some Governance Framework they adhere to.

2. Organisations trying their best to follow best practice, generally have implemented various partial frameworks struggling to keep every document updated or the frantic rush to update or create policies when clients audit them.

Generally, we find that with the 1st category as this is very structured the board generally will have a relatively short statement supports “the framework”, so, for example, ISO27001 companies will refer to senior management supporting the ISMS and be done with it.

The 2nd category is the real tricky one. As there is no framework every endeavour needs to be explained to management. Here we find solutions going in and policies more often playing catch up. The truth - if you not working toward or in line with a framework its a real struggle. This sadly is a struggle many organisations and internal teams face today.

Would it not be great if we can have a document we can ask Senior Management to endorse covering most (if not all we need them to endorse)??. We can then use this statement to build our policies, choose and configure the technologies we implement and be able to show management what areas in the approved statement our new technology or policy relates to. Dare I say we could possibly even start planning strategies and goals based on the discussions that stem from this.

All credit to the NIST Five Functions Cybersecurity Framework that we think does a stunning job helping teams take something to Senior Management and say, 'read this - endorse this, and enable us to work toward these goals!'

To help the community, we’ve created a "Draft Security Governance Statement" available for download, we hope this could help teams get the buy-in they need from Senior Management. Feel free to download and edit/tailor to your organization's needs as you most likely will find you need to tweak areas that you know you’ll need to concentrate on - our suggestion however LEAVE the NIST Framework Statements in there and edit the areas below "What xxxxx means for <Your Organisation>:" this way the "core" sign off is in line with a great framework that will fall in line with any other framework your company might want to work towards.

If this is helpful OR if you need help implementing any of the steps, reach out on the contact us page and someone will be in contact to help.

As the Statement covers vast areas the plan will be to follow up with various blog posts on how to “solve” some of these specific challenges with policies and technology.

Content Credit:

The Five Functions | NIST

https://www.nist.gov/cyberframework/online-learning/five-functions

Enjoy!

The CarbonVector Team