Table of Contents
The document that determines the scope of a utility’s cybersecurity initiatives is the organizational security policy. It acts as a repository for information and decisions created by other building blocks, as well as a roadmap for further cybersecurity decisions. The organizational security policy should include information about the organization’s goals, responsibilities, security program structure, compliance, and risk management methodologies.
Importance
Employees and supervisors responsible for implementing cybersecurity might look to the corporate security policy for guidance. What has the board of directors determined in terms of security funding and priorities? What are the government's new security regulations, and how do they affect technical controls and record-keeping? Which risk management strategy will the company employ? How will the company deal with cases where an employee fails to follow the company's security policies?
Many of these questions are answered by consulting the organization's security policy. It demonstrates the leadership's commitment to security while also clarifying what security entails.
Intersections with Other Components
The
Organizational security management and policy touches on many of the other building pieces since it is so important in recording and disseminating information regarding utility-wide security initiatives. The governance building block is responsible for making high-level decisions that have an impact on all other building blocks. The compliance building block outlines what the utility must do in order to meet government-mandated security standards. Both categories of data are captured by the organization's security policy.
Actions and Procedures
Developing an organisational security policy necessitates gaining support from a diverse group of employees. The policy requires a "owner"—someone with the authority and clout to enlist the help of the proper people from the outset and carry it through to completion. In addition, the owner will be in charge of quality control and completeness. Appointing this policy owner is a good first step toward building the security policy for the organisation.
Technical employees, decision makers, and those who will be accountable for enforcing the policy will all be identified as stakeholders by the policy owner. Before the policy can be established, everyone must agree on a review process and who must sign off on it.
The utility's selection-makers—the board, CEO, government director, and so forth—ought to become aware of the enterprise objectives that the policy is meant to promote and commit sources to the policy's introduction and implementation. Safety strategy ought to be driven via business goals, no longer the alternative manner round.
The utility will need to create an asset inventory, with the most vital assets receiving special attention. Threats and vulnerabilities should be prioritised and investigated. Mitigations for those dangers can also be identified, as well as costs and the extent to which they will be implemented.
Everyone working in the utility's security programme will have duties and responsibilities defined by the policy. These obligations will need to be assigned (or at the very least approved) by the utility's leadership. Employees who fail to engage in the training or adhere to the organization's cybersecurity standards of behaviour will face sanctions if they do not complete the course.
Information That Is Required
When creating or updating an organisational security policy, the following information should be gathered because it will help inform the policy.
In addition, the utility should gather and incorporate the following information into its organisational security policy:
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
