Building up from the “Information Security Program: The Foundations and Anchors article” posted two weeks ago. This article will provide an overview of what security polices are, creating policies and what benefit it will bring to your organization.
Information is an important business asset and is valuable to an organization. In present day business environment, information defines the performance of most organisations. Thus, it needs to be protected to ensure its confidentiality, integrity and availability. The very first thing in information security is to set up policies and procedures on how to protect Information.
Organizations face security threats from a wide range of sources and are vulnerable to attacks such as computer viruses, spam, hacking and denial of service or insider attacks attacks and or espionage. Information security by technical means is not sufficient and needs to be supported by policies and procedures.
Definition of a Security Policy
A security policy is a formal statement of the rules through which people are given access to an organization’s technology, system and information assets. The security policy defines what business and security goals and objectives management desires (Information Security Governance), but not how these solutions are engineered and implemented.
A security policy should be economically feasible, understandable, realistic, consistent, procedurally tolerable, and also provide reasonable protection relative to the stated goals and objectives of management. At the same time policies should be aligned with the business objectives, goals and strategies. Security policies define the overall security and risk control objectives that an organization endorses. The characteristics of good security policies are:
- They must be endorsed and approved by senior management
- They must be implementable through formal processes and
- They must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
- They must clearly define the areas of responsibility for the users, administrators, and management.
- They must be documented, distributed, and communicated.
Security policies are the foundation and the bottom line of information security in any organization. A well written and implemented policy contains sufficient information on what must be done to protect information, technology, processes and people in the organization. Security policies also establish computer usage guidelines for staff in the course of their job duties.
System administrators and business owners have to acknowledge the fact that security threats exist and how to prevent and respond to them. Identifying and implementing suitable controls requires careful planning and participation of all employees in the organization is also vital for the success of information security management. Therefore, depending on the company’s size, financial resources, and the degree of threat, we have to set up a security policy that finds the right balance between the overreacting and the vulnerable of exposing your system to any and every hack. The objective of a well written and implemented security policy is improved information availability, integrity and confidentiality, from both inside and outside the organization.
Writing Security Policies
One approach to setting security policies and procedures is suggested by the following steps:
- Identify all the assets that we are trying to protect (You can not protect what you don’t know)
- Identify all the vulnerabilities and threats and the likeliness of the threats happening (Perform detailed Risk Analysis/Management)
- Decide which measures will protect the assets in a cost-effective manner
- Communicate findings and results to the appropriate parties (Through security awareness or other training models like Inductions)
- Monitoring and review the process continuously for improvement (Report appropriate metrics to management and stakeholders)
Policies and the supporting processes are developed based on the findings and accepted recommendations to reduce the risks posed by the threats. The first thing to remember when writing policy is to write them in an easy-to-understand language and do not make them too complicated. The recommended procedure is called the SMART rule. Thus they must be Specific, Measurable, Agreeable, Realistic and Time-bound. Some areas that may be covered in such policies include:
- Securing Hardware, Peripherals And Other Equipment
- Controlling Access To Information And Systems (Logical Access Controls)
- Processing Information And Documents (Information Classification)
- Purchasing And Maintaining of Commercial Software
- Mobile Devices Security
- Personnel Security
- Combating Cyber Crime
- Complying With Legal And Policy Requirements
- Addressing Personnel Issues Relating To Security
- Patch Management
- Delivering Training And Staff Awareness
- Physical Security
- Detecting And Responding To IS Incidents
Implementing Security Policies
Information Security policies underpin the security of your information and your organization. However, having a security policy document in itself is not enough…. the contents MUST be deployed AND implemented to be effective. This is often easier said than done!
Therefore the endorsed final copy of Security Policy must be made easily available to all employees. It must be communicated to all users formally and users are to acknowledge that the policy is read and understood by signing and agree to comply with it. The key to acceptance and compliance with security policies is education. Educating employees on the need for security and keeping them involved in the policy development process is important to keep them from finding ways to avoid policies and rendering them ineffective. Seminars and awareness campaigns help to educate the importance of security, especially on password selection, screen locking, document labelling, and physical (door) security.
Security policies embody management’s overall security expectations, goals and objectives. To be practical and implementable, policies must be further defined by standards, guidelines, and procedures. These must ensure that all operations are consistent with the intent of the security policies. Standards, guidelines, and procedures provide specific interpretation of policies and instruct users, customers, technicians, management, and others on how to implement the policies. Your organization should undertake the definition of standards, guidelines, and procedures only after the development and acceptance of security policies, and after specific security mechanisms supporting these policies are determined or implemented.
What’s the benefit to a Zimbabwean organisation?
The basic goals of security are availability, confidentiality and integrity. Other benefits to your organisation would be:
- Provide security directives to organization staff on information security intentions, expectations, and objectives
- Provide baseline and guidance to organization staff on implementing security practice
- Ensure the IT security framework meets the law and regulations, organization’s business objectives and security requirements
- Ensure the IT security framework follows relevant practices in well-known standards such as ISO17799 or ISO 27001
- Increase trust and confidence from your staffs, business partners and customers
- Increases your competitive advantage for implementing appropriate security strategies
The basic goals of security are availability, confidentiality and integrity. We must determine what we need to protect, what threats we are protecting it from and how to protect it. In the process of identifying the risk, always remember to rank the risks by level of severity and priority. This will ensure that we make wise cost-effective decision and should not spend more to protect something than it is actually worth.
Once you have a security policy, follow through. Review the policy regularly to assess changing conditions, and ensure that the policy is updated to adapt to the change. Make the overall security policy the responsibility of one person with enough status in the company to enforce the rules. Don’t hand this important job over to a junior member of the IT staff.
This guest post was written by Agnes Mungoyo (CISA, CISM)