The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
24 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2018 CASE STUDIES Building an Effective Defense on a Limited Budget Policies and Procedures What's that saying about eating elephants? It's easy to get overwhelmed by the prospect of creating a whole suite of policies and procedures to meet NIST, ISO or other standards. Not to mention that policies and procedures will do you more harm than good if you can't follow them. Modifying behavior takes time and it is unrealistic to expect that people will incorporate too many procedural changes into their day-to-day all at once. So take it one bite at a time. If you take the time to plan ahead and aren't under the gun of client demands, you don't need to hire expensive consultants to develop a suite of policies for you, potentially saving you tens of thousands of dollars. Start with a few easy to implement policies. Already have a good vulnerability scanning program, but you haven't taken the time to write it down? This may be a good place to start because you won't have to invent brand new procedures or think abstractly about policy decisions you know lile about. Find a starting point template by googling something like "vulnerability management policy template." See hps://www.sans.org/security-resources/policies. Policies won't do you much good unless you have procedures that tell those responsible how to comply with the policy. Most policy documents should have a corresponding procedure document to go along with them. The policy document says "this person in this role will do this thing every so many days, weeks or months," but it says it in generic terms, not mentioning the details of specific tools or steps. This means the policy doesn't need to change whenever your tools change. The procedure document then gives the responsible party enough detail to comply with the policy. For example, our vulnerability management policy says that we will scan all assets at least once per week, vulnerabilities will be prioritized and mitigation plans developed within five days. That doesn't change no maer what tools we use. The corresponding procedure document tells us about the tools we use and where we track vulnerabilities. If the policy has impact on regular users, then some user documentation should be created too, telling them in lay terms what they need to do. Keep everything organized and consistent. One of my first policies simply described how we would maintain policies. How oen policies are reviewed, where we store them, how we manage updates, and other details are described in detail. Well thought out policies and procedures save you time and money elsewhere in your security program. They help you prioritize and plan in other areas so you don't end up wasting money on things that don't actually make you more secure. Patching Procedures Let's assume you are already patching your servers and workstations on a regular basis. A lile extra money or time here is well spent, since a very large So many of us are responsible for securing small firms with small budgets, but all the best security tools and vendors seem designed for big organizations with lots of security dollars to spend. You have one advantage – a smaller environment is easier to defend. Here are some tips for creating a "big firm" defense for a fraction of the price. by Frank Schipani Building an Effective Defense on a Limited Budget