Information Protection - Processes & Procedures

Episode #51

Ideally and preferably, your cybersecurity program should follow established policies, standards, and procedures. These documents will govern all organization members, including staff, vendors, volunteers, and anyone working on the organization’s behalf.

The first step towards information protection is to develop and maintain a baseline configuration for IT and OT systems if this applies to your organization that incorporates appropriate cybersecurity principles, such as least privilege. 

The baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for IT systems or configuration items within those systems. It serves as the basis for all future changes to the systems, and it is considered the stable version of any system. 

However, changes will occur over time, so a method is imperative to manage system changes. This task is part of a much larger discipline known as configuration management. Configuration management addresses the methods for controlling asset changes throughout the assets’ lifecycle. 

There are three roles your organization should consider in the change management process:
Configuration manager
Baseline manager
Verification manager

Once your organization establishes good baseline practices, the challenge is to keep track of all the changes required for the business; therefore, I suggest using a standard exception process to document the exceptions to the baseline while calculating the risk and requiring sign-offs. 


*** FREE GUIDE ***


Dr. Bill Souza
CEO | Founder