In Chapter 5.0, we enumerated many policies that we believe should be integral parts of an organization’s cybersecurity program. This appendix is an annotated summary of these policies. In order to facilitate the usability of this appendix, enumerated policies and their subheadings are listed alphabetically.

Audit Security

• Audit logging: Some cyber attackers use techniques that hide their activities from normal security audits and scans. These frequently are referred to as “low and slow” attacks. Many cybersecurity professionals review audit logs over a long period of time to look for signs of these types of attacks. In the author’s previous organization, log files were retained for over seven years. This proved extremely helpful in both vulnerability analysis as well as legal discovery. Establish your policy for the retention of logs and files. Recording when and what types of audits were performed provides better accountability, analysis, and useful “after-action” reports in case of an intrusion or other event.
• Vulnerability scanning: Your IT staff should continually conduct internal and external scans of your network to assess its vulnerabilities. Additionally, you should conduct similar physical security scans to identify any vulnerabilities. Establish a policy that mandates regular security-based audits to ensure that any vulnerabilities in your network or physical security are identified and addressed.

Computer Security

• Acceptable encryption: Some ...