Step 1: Compose and Approve the Policy Itself
This step is already performed by the vast majority of organizations. The board or executive leadership decides to mitigate the threat posed by employees’ weak passwords, access rights, and asset lists. It enlists the help of the security department to validate the implementation of these policies.
Step 2: Grant the Security Department the Visibility it Needs
Here is where most organizations falter. They have a policy, but they can’t implement it or are unsure if all vulnerabilities are covered. The failure to operationalize is therefore a governance problem — an inability to coordinate activities and responsibilities across business silos. Senior leadership leaves it to security to ensure the company is adhering to the new policy because, after all, security has the most subject-matter expertise, right?
In reality, security can only handle certain parts of the policy. A current LogicManager customer reported its prior inability to implement such a policy. They told us, “We’ve been in deadlock for three years. We have a policy drafted, but security has said it only has actionable control over certain parts, and so nothing moves forward.”
LogicManager was able to help for a very simple reason: governance platforms provide a centralized information hub, plus the ability to:
- Break up roles and responsibilities
- Assign those roles to appropriate stakeholders
- Create automated tasks to monitor the activity and ensure password/access policies are adhered to by all stakeholders
Step 3. Carry Good Governance Out to Third Parties
Since 59% of data breaches stem from a company’s third parties, it’s not enough to shore up internal security, password, and access rights policies. You need to make sure your vendors are taking as many precautions with your data as you are.
How many applications does your company rely on? How many third parties have access to sensitive information? Which employees have access to which? How much access does each employee need to get their job done?
Enterprise risk management platforms can help answer these questions, as the best of them can help you govern your software asset management and user access reviews.
Again, IT isn’t solely responsible for keeping track of these vendors. Every organization’s finance department maintains a “master asset list” of all applications, since they approve the budgets and execute purchase orders for every application.
Think about your payment systems, payroll system, customer relationship management, vendor management, and other third-party software applications. Once finance provides the list of assets and which departments own them, security simply reaches out to each process owner to operationalize the policy.
Step 4: Hold Each Party Accountable for its Piece
When security is isolated, they cannot operationalize the policy, and it’s paralyzed. But after security has access to information about which managers use which applications, it’s a simple matter of using the ERM system to push out tasks/notifications and track the results.
Each process owner receives an automatic task within the platform, which includes background on the policy as well as what is required of the individual manager. Since it’s functional managers, not the security department, that know which employees should have access rights, it’s easiest to get this information by pushing the requirements and questions down to the front lines.
After process owners handle their own pieces of the policy, they send their information back to the security department, where it can be monitored. The same process can then occur with vendor management; which vendors have access to password-protected applications, and how should their contracts be updated to reflect proper enforcement of the policy? Enforcement is then managed through contract terms and audit capabilities (based on risk assessment priorities).
So consider how achieving good governance can help you eliminate the vast majority of your cybersecurity risk by operationalizing the policies you already have in place across departments and out to third parties.
With the right governance solution, you should be able to operationalize any one of your policies within 90 days. If you operationalize your password policy across the enterprise, you’ve eliminated 81% of your cybersecurity risk.