It is incumbent on every business and organisation to ensure that they have robust physical security systems in place for their Information Technology infrastructure to guard against unauthorised access.
Firewalls, anti-virus software and other physical security systems are hugely important, and it is tempting to opt for the latest and greatest one stop shop hardware and software solution.
However, to fully protect your organisation and its data, a broad, comprehensive approach is required and there’s no better foundation for building a culture of security and protection than a set of robust information security policy documents that should work in tandem with the physical systems that you have in place.
Why?
It is tempting to think that Security Policies may seem like just another layer of bureaucracy, they are however a vitally important component in any information security program.
Although a Security Policy does not provide specific low-level technical guidance, it should spell out the intentions and expectations of the Senior Management Team regarding security, it then falls to the Security or IT teams to translate these intentions into specific technical actions.
However, without a clear place to start, the security or IT teams can only guess what the Senior Management Team desires, which can lead to inconsistent application of security controls across different groups and business entities.
If an organisation does not have a clear set of Security Policies in place, employees or users are left to their own judgment in deciding what is appropriate and what is not, which can lead to problems when different employees apply different standards to their behaviour.
Security policies should clearly spell out how compliance is monitored and enforced.
Documented security policies are also a requirement of security regulations, standards and legislation such as ISO 27001, PCI-DSS, SOC2 and Sarbanes-Oxley (In the United States).
Even when not explicitly required, a Security Policy is quite often a practical necessity in crafting a strategy to meet increasingly stringent security and data privacy requirements.
A well written security policy can enhance an organization’s efficiency and can help to get everyone on the same page, eliminate duplication of effort, and provide consistency in monitoring and enforcing compliance.
Security Policies should also provide clear guidance for when policy exceptions are granted, and by whom.
To achieve these benefits, in addition to being implemented and followed, the policy will also need to be aligned with the business goals and culture of the organisation.
Where Should We Start?
Security policies can vary in scope, applicability, and complexity, according to the needs of different organisations, while there’s no universal model for security policies, the following list provides a good starting point.
Program Policy
Program Policies are strategic, high-level blueprints that provide guidance for an organisation’s information security program, they should spell out the purpose and scope of the program, as well as clearly define roles, responsibilities and compliance mechanisms.
Sometimes known as master or organisational policies, these documents should be formulated with high levels of input from the senior management team and every attempt should be made to ensure they are technology agnostic.
These documents are the least frequently updated type of policy and should be written at a high enough level to remain relevant even through technical and organisational changes.
Issue-Specific Policy
Issue-specific policies build upon the generic Program Policy and provide more concrete guidance on certain issues relevant to an organisation’s employees.
Examples include but are not limited to; Acceptable use of E-mail and the Internet, Hardware and Software, Social Media, Network Security, Bring-Your-Own-Device (BYOD), Remote Access and Electronic Data.
Although these may address specific technology areas, they are usually more generic.
System-Specific Policy
A System-Specific Policy is the most granular type of IT security policy, focusing as it does on a particular or type of system, such as Remote Access or Payroll.
In contrast to the Issue-Specific Policies, System-Specific Policies may be most relevant to the technical personnel that maintains them or the personnel that use them.
System-Specific Policies generally consist of both a security objective and individual operational rules, although IT and security teams should, by necessity be heavily involved in the creation, implementation, and enforcement of system-specific policies, the key decisions and rules should still be made by the Senior Management Team.
Commitment from Senior Management
Security Policies are meant to communicate intent from the Senior Management Team, preferably at the C-Suite or Board Level.
Without buy-in and importantly support from this level of leadership, any security program is doomed to fail.
To succeed, your policies must be communicated to all current and new employees.
When implemented for the first time, roll out workshops should take place where the reason for the policies and the information contained within them should be explained to all employees.
Copies of the policies should also be distributed to employees, who should be asked to confirm either in writing or by e-mail that they have read and understood the documents.
New employees should be provided with a copy either physically or electronic as part of their onboarding / joining program and be asked to confirm that they have read and understood them
The policies should be updated regularly with employees being notified of changes, policies should be accessible to all staff via the company intranet with hard copies being made available as and when required.
Policies should be enforced consistently; it should be noted that a lack of senior management support makes this difficult if not impossible.
Realistic and Enforceable Policies
It may be tempting to base your security policies on a model of perfection, you must however remember that your employees live in the real world, an overly cumbersome policy is highly unlikely to be either understood and more importantly adopted.
Likewise, policies with no mechanism for enforcement will likely be ignored by significant numbers of employees.
It is important that the consequences for failure to adhere to the policies are clear and unambiguous and that employees understand them.
Purpose and Objectives
A clear mission statement or an introduction at the beginning of the Policy Document, should spell out the importance of security to the organisation.
It’s worth assuming that many of your employees will have little or no knowledge or understanding of the importance of information security
Scope
Each policy that makes up your overall Data & Security Policies document, should include a scope or statement of applicability that clearly states to whom the policy applies, this can be based on a specific department, business unit, job role or any other organisational concept as long as it is clearly defined.
Clarity
It is worth remembering that most people to whom a Security Policy is aimed at will not be technical, so it is important that any technical terms are clearly defined.
Organisational Fit
Although risk can never be completely mitigated against, the organisation’s Senior Management Team must decide what level of risk is acceptable.
The security policy should take this risk appetite into account, as it will have a bearing on the types of topics covered as well as any sanctions that will be applied for any breech.
Up-to-Date Information
Although there may be no requirement for the Program Policy document to change frequently, it should still be reviewed on a regular basis.
Issue Specific policies should. be updated as technology, workforce trends, and other factors change, and other new policy documents may have to be added over time.
Changes and revisions should be dated and noted at the front of the document.
What should we do next?
Review any IT Security Policies that you may have in place, your Company Handbook (If you have one) is a good starting point as there may well be some basic topics covered there.
Decide if your organisation would benefit from updating any existing policies in place or the introduction of a new set of security policy documents.
VONMAR Consulting can assist you with the following:
- Full review of existing IT and Data Security policies to identify gaps and areas of concern.
- Benchmarking of existing Polices against current best practice.
- Amending of existing Policies to bring them in line with current best practice.
- Production of new IT and Data Security policies.
- Introduction and roll out of amended or new policies.
- Provide a complete end to project management solution for the entire process.
If you have any questions relating to this topic, please contact us at jonathan.robb@vonmar-consuilting.com