Security Polices are a necessary evil in today's workplace. Without a comprehensive Security Policy, you are vulnerable to commercial piracy and phishing attacks. In this article, I will look at the measures that should be put in place to implement an effective security policy. Each policy should be flexible to satisfy your organisation's requirements. It's important that you know each will be unique in content, but defining it should follow some kind of model. In this article, I will highlight the fundamentals in defining your own Security Policy.
What is a Security Policy?
A policy should ideally take the form of a documented guideline that is created to enforce specific rules or regulations and procedures. In the context of ‘security', it is simply a policy based on procedures revolving around security. A security policy is the foundation and structure under which a comprehensive security program can be developed. A security policy is the backbone of your firewalls, IDS systems and other infrastructure. There are a variety of considerations to be factored in before you define your own policy. Security policies are generally overlooked, not implemented or only thought of when it's already too late. It doesn't help ‘after' the fact when you are dealing with a court case, if you had a policy in place to keep people informed about what it is they can or cannot do (like surf the web during business hours hitting sites that are not business related) they may not do it in the first place, and
if they do, you have a tool (the policy) to hold them accountable.
A security policy is a living document that allows an organisation and its management team to draw very clear and understandable objectives, goals, rules and formal procedures that help to define the overall security posture and architecture for said organisation. This article will cover the most important facts about how to plan for and define a security policy of your own, and most of all, to get you to think about it - whether you already have one or not.
A security policy should only be compiled after due consideration has been applied to the intent and process of the policy. You should not make a security policy too restrictive. If you do, you could cause a lot of strain on your employees, who may be accustomed to one way of doing business, and it may take a while to grow them into a more restrictive security posture based on your policy.
A security policy should contain these important features:
- The security policy must be understandable! People who read it should be able to easily comply with it. You need to ensure that it's not full of complete techno-babble that can be argued by an end user.
- The security policy must be realistic! If you are too restrictive, complaints could arise. Remember, too much security actually impedes business so you have to find a perfect balance. Ensure it realistically meets your business, technological and security needs without alienating your staff.
- The security policy must be consistent! Telling people they can only browse business related websites and then subsequently overturn that decision only to reverse it again three weeks later causes discontentment and confusion amongst your user community.
- The security policy must be enforceable and supported! You can do this with auditing tools, history logging and by other means. It must also be ‘clearly' backed by management. If you decide that someone is in violation of policy, and management doesn't back the proposed sanction, then the policy is useless. It must be backed from the outset.
- The security policy must be documented, distributed, and communicated properly! If you try to enforce a security policy that nobody has read, then you are basically alone in your battle to enforce it. I suggest having new employees sign a copy of your security policy when they join the organisation. Current employees can be informed via their managers or supervisors.
- A successful security policy needs to be flexible! In order for a security policy to be a long lasting and effective solution the policy needs to be flexible on what it covers, who maintains it and most important of all, who changes it. Your policy WILL experience change, just as your business changes.
- A successful security policy must be reviewed! To ensure that your policies do not become obsolete, implement a regular review process. Depending on how often your company changes its business relationships, or if it is in merger and acquisition mode, you may find yourself in constant review. Make sure you are aware of what would instigate a review, and ensure you also do a proper review after a certain amount of stagnation occurs.
Security Policy Structure
The basic structure of a security policy should contain the following generic components:
- Roles and responsibilities of those affected by the policy: Ensure that your policy clearly defines roles and responsibilities of all those affected. In other words, if you have different levels of access to systems for example Internet access, based on the roles of the relevant staff - this must be clearly stated. This way no animosity should occur, since everyone knows what it is they can or cannot do and won't feel unfairly restricted.
- What actions, activities and processes are allowed and which are not? The policy needs to be heavily reviewed to ensure there is no ambiguous wording that can be taken advantage off. Remember, it's all a play on words, and you have to make sure you know how to state specific things. List all actions, activities and processes that are allowed and also those which are not - very clearly.
- What are the consequences of non-compliance? It's very important that you clearly define what sanctions will be imposed for breaches of the policy. More importantly, make sure that any sanction stipulated is carried out. Once your user community knows that you are not enforcing your own policies, the authority of the policy will be in question. This is why you need to have simple sanctions defined.
The development of security policies is also based greatly on roles and responsibilities of staff, the departments they come from, or the business units they work within. Nothing in information Technology is generic and standard especially when dealing with real business examples, scenarios and issues. In the security policy framework, it's critical that all areas of responsibility are clearly defined. From the list below, you should make sure that when developing your policy, all areas listed below are at least offered to be a part of the team to develop the policy:
- Management: Management would include Marketing, Sales, Customer Service, Engineering, Legal and the list goes on and on. Make sure that each departments requirements are taken into account within the context of the security policy. The Sales Manager may want unlimited Internet access for his team while the Customer Service Manager may request no access. You need to explain the risks involved in both cases and see if a happy medium can be reached. Management must endorse your policy.
- Information Technology functions: Since almost everything done with the Security Policy may come out of the IT department make certain that you involve all the appropriate parties. Let's say you are the Chief Technical Officer and you are responsible for documenting a security policy. It's easy to see security from one viewpoint, but you may not have a well rounded IT view. Just to make sure, involve ALL IT related departments, to include network engineering, applications and systems, change management etc. Also, make certain that if you have IT support at remote locations or small business units that you involve them and get their needs as well.
- Human resources and Legal: It is critical that you get HR and Legal involved with your security policy. You need HR to disperse the policy to new employees or existing staff. Legal needs to be involved to make sure that everything in your policy is legal and does not infringe on employee rights.
This article is set up for beginners who are unfamiliar with policies. There are many more articles and books that can be useful when developing a Secuirty policy so make sure tha you thouroughly research this subject and consider all aspects.
Contributed by Roman Malinowski
HR Manager - L@W Active