OverviewA strong security program requires staff to be trained on security policies, procedures, and technical security controls. All staff need to have the necessary skills to carry out their assigned duties. This policy promotes continuous employee supports around data security and privacy education. So, I will mention the important things in cybersecurity program and focus more in detail with Training field, security wariness and physical security. Purpose The main goal from this policy is to ensure security awareness and training controls protect information systems and Personally Identifiable Information and ensure information availability, confidentiality, and integrity of data.
ScopeThis policy applies to all VM Technologies staff: executives, shareholders, contractors and employees.1. Risk assessmentwe must identify and assesses the risks. because assessment helps us to prioritize them and choose cost-effective countermeasures and mitigate the risks to a level acceptable to the organization. The risks that are covered in assessment might include one or more of the following:¶ Physical loss of data. May be lose immediate access to data for reasons ranging from floods to loss of electric power.
¶ Unauthorized access to data and client or customer data. Remember, if company have confidential information from clients or customers, the company often contractually obliged to protect that data.¶ Interception of data in transit. Risks include data transmitted between company sites, or between the company and employees, partners, and contractors at home or other locations.¶ Third parties, including contractors, partners, or company’s sales channel and how protects company data from them.¶ Data corruption. Intentional corruption might modify data.2. Policy Policies must be reviewed and updated annually or during major org changes. Security policies must be endorsed, relevant, realistic, attainable, adaptable, enforceable, inclusive and match to the company culture. So, we need to review all contracts and policies and review COO, CIO, CISO and other employees’ functions. it is important to make sure the organization is following those policies.3. TrainingEvery employee needs to be aware of his roles and responsibilities specially in security aspect. Even the employees who don’t have technical knowledge need to be involved because they could still be targeted by social-engineering attacks in physical security part. All users need to have security awareness training, IT employees need to have more role-specific training too. The change control process should be formal and provide proper documentation of all change requests, evaluation of the request, management decision to approve/reject the request, the change made and testing results and rollback or communication plans if required A security awareness program is designed to remind users of potential threats and their part in mitigating the risk to the organization. The Interagency Guidelines require institutions to implement an ongoing information security awareness program, to invest in training, and to educate executive management and directors.The goal of education is to explain why, and the anticipated outcome is insight and understanding. The goal of training is to explain how, and the anticipated outcome is knowledge and skill. Last, the goal of awareness is to explain what, and the anticipated outcome is information and awareness. The impact of education is long term, the impact of training is immediate, and the impact of awareness is short term.A security awareness program is an important part of building a culture of security throughout the organization. An awareness training program is required by many standards or regulatory requirements (i.e. ISO, NYDF).Consider approaching training in phases:a) INITIAL TRAINING ” new employees should receive baselines instruction on policies, issues, and response/reporting. Training should be pertinent to their job and be short enough to keep their attention. At the end of the sessions, new employees should be quizzed briefly on essential elements and sign a statement that they understand the contentb) PERIODIC TRAINING ” To review essential elements from the initial training session and to update employees on changes to policies and procedures Employees should be re-quizzed on content and sign new agreements Depending on the business, training may be performed annually, quarterly, or as neededc) ONGOING PROGRAMS ” Ongoing programs are one of the most effective tools of the security aware enterprise.3.1 Cybersecurity Training PolicyAll employees, contractors, interns, and designated third parties must receive training appropriate to their position throughout their tenure.¶ The Human Resources department is responsible for cybersecurity training during the employee orientation phase. The training must include compliance requirements, company policies, and handling standards.¶ Subsequent training will be conducted at the departmental level. Users will be trained on the use of departmental systems appropriate to their specific duties to ensure that the confidentiality, integrity, and availability (CIA) of information is safeguarded.¶ Annual cybersecurity training will be conducted by the Office of Information or Cybersecurity. All staff is required to participate, and attendance will be documented. At a minimum, training will include the following topics: current cybersecurity-related threats and risks, security policy updates, and reporting of security incidents.¶ The company will support the ongoing education of cybersecurity personnel by funding attendance at conferences, tuition at local colleges and universities, subscriptions to professional journals, and membership in professional organizations.A security awareness and training program should be constantly evaluated and changed as necessary to meet the needs of the environment, culture, and mission of the organization.4. Physical Security:The objective of physical and environmental security is to prevent unauthorized access, damage, and interference to business premises and equipment. physical access is the most direct path to malicious activity, including unauthorized access, theft, damage, and destruction. Protection mechanisms include controlling the physical security perimeter and physical entry, creating secure offices, rooms, and facilities, and implementing barriers to access, such as monitoring, and alerting.4.1 Perimeter Security¶ include physical elements such as berms, fences, gates, and bollards. Lighting the Entrances, exits, pathways, and parking. ¶ The candlepower of the lighting must meet security standards. ¶ Detection systems include IP cameras, closed-circuit TV, alarms, motion sensors, and security guards. ¶ Response systems include locking gates and doors, on-site or remote security personnel notification, and direct communication with local, county, or state police.4.2 Physical Entry Controls PolicyAuthorization and identification are required for entry to all nonpublic company locations.¶ Access to all nonpublic company locations will be restricted to authorized persons only.¶ The Office of Human Resources is responsible for providing access credentials to employees and contractors.¶ The Office of Facilities Management is responsible for visitor identification, providing access credentials, and monitoring access. All visitor management activities will be documented.¶ Employees and contractors are required to visibly display identification in all company locations.¶ Visitors are required to display identification in all nonpublic company locations.¶ Visitors are always to be escorted.¶ All personnel must be trained to immediately report unescorted visitors.4.3 Securing Offices, Rooms, and Facilities¶ The company will use a four-tiered workspace classification schema consisting of secure, restricted, nonpublic, and public.¶ The company will publish definitions for each classification.¶ The criteria for each level will be maintained by and available from the Office of Facilities Management.¶ All locations will be associated with one of the four data classifications. Classification assignment is the joint responsibility of the Office of Facilities Management and the Office of Information Security.¶ Each classification must have documented security requirements.¶ The COO must authorize exceptions.¶ Areas classified as secure will be continually monitored. Use of recording devices will be forbidden.Conclusion In my opinion, these policies, awareness’s and training program make the company more secure every day. Because this Cybersecurity program will help to assess risks, make plans for mitigating risks, implement solutions, monitor the solutions if are working as expected. After that we will use that information as feedback for next assessment phase. Then, we will re-assess the risks that we face and update the program accordingly.