top of page
Drew Hjelm

Can Artificial Intelligence build your information security program? Probably not (yet!)

One of the most widely discussed tools to be released recently is the ChatGPT released by OpenAI, an artificial intelligence chat bot that provides interactive responses more detailed than the typical chat bots you may see on a customer service website.


Will the bot take our cybersecurity jobs anytime soon? I doubt it!


Is it one step away from The Matrix? Hardly!

But it looks like it can be extremely helpful for starting projects!


I saw someone using ChatGPT to write policies based on NIST 800-53 and wondered how well the tool can build other policies, so I set out to create them. To the credit of the tool, the policies it built are a good starting point so long as you provide it with proper inputs. I asked for an Incident Response Policy based on NIST 800-61, and it provided one, but it was missing incident severity ratings. Then I asked for a severity rating to be added, but it was missing the lifecycle of an incident (Detection, Analysis, Containment, Eradication, Recovery). Also, the tool seems to be limited on the length of its response, so longer policies and procedures cannot easily be generated.


I've also used ChatGPT to help start some basic scripts for automation purposes (like querying Shodan for OSINT) and have found it to be extremely useful. ChatGPT can also create letters for helping to takedown spoofing domains too.



Check out the policy results below and see for yourself if you think they are good starts for building an information security program. They are 100% AI generated.


ChatGPT is also available for general use at: https://chat.openai.com/


Data Breach Incident Response Policy

Purpose:

The purpose of this policy is to establish a process for responding to and managing data breaches in a timely and effective manner, in accordance with NIST 800-61 and the requirements of PCI DSS and HIPAA.

Scope:

This policy applies to all employees, contractors, and other individuals who have access to sensitive data and systems within the organization.

Policy:

  1. Definition of a Data Breach: A data breach is defined as any unauthorized access, use, disclosure, modification, or destruction of sensitive data.

  2. Incident Severity Rating: Data breaches will be assigned a severity rating based on the following criteria:

    1. High severity: A data breach that results in significant damage to the organization, such as significant financial loss, reputational damage, or legal consequences.

    2. Medium severity: A data breach that has the potential to cause significant damage to the organization, but has not yet caused significant harm.

    3. Low severity: A data breach that has minimal or no impact on the organization.

  3. Incident Response Lifecycle: The incident response process consists of the following stages:

    1. Detection: The process of identifying that a data breach has occurred.

    2. Analysis: The process of evaluating the scope and impact of the breach and determining the appropriate response.

    3. Containment: The process of taking immediate action to prevent further unauthorized access or damage to sensitive data.

    4. Eradication: The process of eliminating the root cause of the breach and implementing additional security controls to prevent similar incidents from occurring in the future.

    5. Recovery: The process of restoring affected systems and data to their pre-breach state.

  4. Reporting a Data Breach: All employees, contractors, and other individuals who have access to sensitive data and systems are required to report any suspected or confirmed data breaches to the designated incident response team as soon as possible.

  5. Incident Response Team: The incident response team is responsible for coordinating the response to a data breach and ensuring that appropriate actions are taken at each stage of the incident response lifecycle. The team should consist of individuals with expertise in areas such as IT, security, legal, and compliance.

  6. Initial Response: Upon receipt of a report of a data breach, the incident response team will take the following initial steps:

    1. Assess the scope and impact of the breach and determine the severity rating.

    2. Identify the sensitive data that has been compromised.

    3. Determine the cause of the breach and take steps to prevent further unauthorized access or damage.

    4. Notify relevant parties, including law enforcement and regulatory agencies, as required by PCI DSS and HIPAA.

    5. Begin the process of recovering and restoring affected systems and data.

  7. Ongoing Response: The incident response team will continue to monitor the situation and take additional actions as necessary to mitigate the impact of the breach and prevent similar incidents from occurring in the future. The specific actions taken will depend on the severity rating of the breach and the stage of the incident response lifecycle.

  8. Communication: The incident response team will communicate with relevant parties, including employees, contractors, customers, and regulators, as appropriate to keep them informed of the situation and any actions taken in response to the breach.

  9. Post-Incident Review: After the data breach has been resolved, the incident response team will conduct a post-incident review to identify any lessons learned and make recommendations for improvement.

Access Control Policy Purpose: The purpose of this policy is to establish and maintain the security of the organization's information systems and protect the confidentiality, integrity, and availability of the organization's information and systems. Scope: This policy applies to all information systems, including hardware, software, and data, that are owned, operated, or managed by the organization. It also applies to all individuals who have access to the organization's information systems, including employees, contractors, and third-party service providers. Policy:

  1. Access to the organization's information systems is restricted to authorized individuals only.

  2. Access to the organization's information systems is granted based on the principle of least privilege, meaning that individuals are granted access to only the resources and privileges that are necessary to perform their job duties.

  3. Access to the organization's information systems is granted and revoked by authorized personnel, following established procedures.

  4. Access to the organization's information systems is reviewed on a regular basis to ensure that access privileges are appropriate and current.

  5. Access to the organization's information systems is logged and audited to monitor and detect unauthorized access or activity.

  6. Access to the organization's information systems is protected by strong passwords that are changed regularly.

  7. Access to the organization's information systems is protected by two-factor authentication or other strong authentication methods, as appropriate.

  8. Physical access to the organization's information systems is controlled and restricted to authorized personnel only.

  9. Remote access to the organization's information systems is secured and monitored to prevent unauthorized access.

  10. Any suspected or actual unauthorized access to the organization's information systems must be immediately reported to the appropriate authorities.

Procedures:

  1. Access to the organization's information systems is granted through the use of unique user accounts.

  2. Access to the organization's information systems is granted based on an individual's job duties and responsibilities.

  3. Access to the organization's information systems is granted by authorized personnel, following established procedures.

  4. Access to the organization's information systems is reviewed on a regular basis to ensure that access privileges are appropriate and current.

  5. Access to the organization's information systems is logged and audited to monitor and detect unauthorized access or activity.

  6. Physical access to the organization's information systems is controlled and restricted to authorized personnel only.

  7. Remote access to the organization's information systems is secured and monitored to prevent unauthorized access.

  8. Any suspected or actual unauthorized access to the organization's information systems must be immediately reported to the appropriate authorities.

Enforcement: Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, as well as legal action. This policy should be reviewed on an annual basis and updated as needed to reflect changes in the organization's information systems and security practices.


73 views0 comments

Recent Posts

See All

Comments


bottom of page