Essentials of an Information Security policy
Introduction
Security threats are changing, and compliance requirements for companies and governments are getting more and more complex. Beating all of it without a security policy in place is just like plugging the holes with a rag, there is always going to be a leak. For a security policy to be effective, there are a few key characteristic necessities.
Characteristics of an Information security policy
-
Information security policy should be end to end.
-
It should have a room for revision and updates.
-
It should incorporate the risk assessment of the organization.
-
It should be practical and enforceable.
Information security policy should secure the organization from all ends; it should cover all software, hardware devices, physical parameters, human resource, information/data, access control, etc., within its scope. If we talk about data as an end to end object, it will cover– Data creation, modification, processing, storage and destruction/retention. It has to be ensured that no stone has been left unturned at any step (also consider checking out this career guide for data science jobs).
Information security is like an arms race. Organisations will change and grow over a period of time; hence, an information security policy should have room for the required version updates. The policy needs to be revised at fixed intervals, and all the revisions need to be approved and documented by the authorized person. Whenever there is a major change in the organization, it should be ensured that the new updates are addressed in the policy as well.
Organisations go ahead with a risk assessment to identify the potential hazards and risks. It is very easy to pick up an Information security policy and tweak it here and there, but different organizations have different compliance requirements. It should be ensured that all the identified risks are taken care of in the information security policy.
It is not enough to talk and document thoroughly the Information security policy, one has to ensure that the policy is practical and enforceable. It should address issues effectively and must have an exception process in place for business requirements and urgencies. Without enforceability and practicality, having an Information security policy is as good as having no policy at all ((also consider checking out this perfect parcel of information for cissp certification).
Information security policy essential bits:
-
Objective
The objective of the policy should be clearly defined at the beginning of the document, after the introductory pages. The objective should cover majorly a few pieces:
-
Maintaining confidentiality: Protecting the resources from unauthorized personnel
-
Ensuring availability: Availability of resources to the authorized personnel
-
Maintaining Integrity: Ensures correctness of the resources.
It should define the terms used in the policy thereafter as well, for instance, what is the meaning of an authorized personnel with respect to the organization. What are the organization and the resources that will be covered when the words are used in a generic fashion? Roles and responsibilities are also a part of the objective- what are the responsibilities of information security department, What part of the management is seeking support and responsibilities of the management?
-
-
Scope
Companies are huge and can have a lot of dependencies, third party, contracts, etc. The scope of the audience to whom the information security policy applies should be mentioned clearly, it should also define what is considered as out of scope, e.g. an information security policy can insist that the assets connected to the company network should have the latest windows patch installed. Does this also cover the systems which the vendor/visitor connects to the network for any business need or demo purpose? What if this is a Linux or Mac PC? This segregation needs to be clear for what is in scope and what is out of scope.
-
Asset classification
This section is about everything that will be covered in the asset. How the asset will be categorized. How the asset will be classified in various categories and how will this be re-evaluated. What are the detailed responsibilities of a security team, IT team, User, and asset owner? Who is the authorized party to approve the asset classification? These are a few questions which should be answered in this section. Special care should be taken to what has to be covered here and what is in the asset management part of the policy.
-
Asset management
Asset management is basically the IT part of the asset. It will cover the lifecycle of how the asset will be taken onboard, installed, maintained, managed and retired. The lifecycle can have major parts defined:
-
Asset onboarding and installation (What is required?)
-
Asset allocation (Inventory management, who used what and when)
-
Asset deallocation (Who can authorize this?)
-
Annual maintenance/ warranty
-
Retirement (Who will decide and on what basis, approver, and maintenance)
-
-
Access control
Access control is a general topic and touches all objects- be it physical or virtual. The policy should have multiple sections within it and should cover the access management for all. Does the organization need biometric control for employees to get in, or is it ok to use conventional access cards. How is the access controlled for visitors? What is system/ access control model used to grant access to the resources? Does the company follow mandatory access controls as per roles, or is the access granted at the discretion of the management? All these parts need to be covered here. “Who gets access to what? Who grants it? Till when? Why?” – This should be defined in this section clearly.
-
Password management
This section should define the password guidelines for user PC/laptop, application passwords, network device password management, e.g. firewall, server, switches, etc.
Below parameters should be enforced when password management is defined:
-
Password complexity enabled
-
Minimum password length
-
Maximum password length
-
Password change at the first login
-
Min password age before changing
-
Max password age
-
Number of invalid password attempts defined
-
Lockout duration, and unlocking procedure
-
Password history maintained, for How long?
-
-
Change management and Incident management
How to carry out a change in the organization should be documented here. Change management is required to ensure that all the changes are documented and approved by the management. The changes can be tracked, monitored and rolled back if required. Most organizations use a ticketing system to track the changes and record all the essential details of the changes:
-
Business justification
-
Teams involved in the change
-
Who will make the change?
-
What is the change?
-
Impact analysis
-
Risk analysis
-
Test procedures
-
Rollback plan
An incident, in this case, could be a data theft or a cyber attack. Information security policy should address the procedure to be followed in such circumstances.
-
Who will declare that an event is an incident?
-
Who to contact in case of an incident?
-
How can employees identify and report an incident?
-
How an incident is used as a lesson.
-
-
Clean desk policy
Can the employees leave the assets unsecured during office hours? Do the assets need a physical lock? Does the organization leave the documents wherever they want? Can you give a print command and do not collect it right away? What to do with the prototypes, devices, and documents which are no longer needed. Answers to these questions depend on the organization to organization. Ideally, the laptops can be left unsecured with a cable lock attached. Documents which are no longer required should be shredded right away. Printer area needs to be kept clean by collecting the printed documents right away so that it does not reach unauthorized individuals. Address these in the information security policy and ensure that the employees are following these guidelines. Random checks can be conducted to ensure that the policy is being followed.
-
Data/Information classification
Just like asset classification, data also needs to be classified into various categories: top secret, secret, confidential and public. This is done to ensure that the objects/data that have high clearance level are not accessed by subjects from lower security levels. The section will ensure that the data is categorized and who is the authorized party to do so. How will the data be categorized and processed throughout its lifecycle?
-
Acceptable Internet usage policy
The Internet is full of stuff which might not be required and is inappropriate to be visited in the office premises, on the office network and official assets. Information security policy should define how the internet should be restricted and what has to be restricted. Does your organization allow viewing social media websites, YouTube, and other entertainment sites? How is the access controlled? One way is to block the websites basis category on internet proxy.
-
Antivirus management and Patch management
Two must-have IT management topics that have made it to the information security policy essentials. Antivirus and Windows/Linux patches need to be governed as per the policy. Windows and AV updates are periodic from most of the standard vendors. Windows update is released every month by Microsoft, and AV signatures are updated every day. Security policy should cover what are the latest patches and signatures to be present for ensuring system safety. AV and patch management are important requirements for most of the compliance standards.
-
Physical security
What all is covered in this section is self-explanatory. All the physical security controls and operational procedures.
-
CCTV monitoring
-
Security guard operation
-
Fire and safety system installed
-
Boom barriers, barbed wires, metal detectors, etc.
Physical security can have endless controls, but this calls for a serious assessment of what is required as per the organizational needs. Does the office need a military grade security or a junkyard level security? The controls are cost-intensive, and hence, need to be chosen wisely. Same has to be documented in the information security policy.
-
Conclusion
Now that you have the information security policy in place, get the approval from the management and ensure that the policy is available to all the in audience. Employees should know where the security policy is hosted and should be well informed. A user from finance may not know the password policy for firewalls but he/she should know the laptop’s password policy. It is the responsibility of the Security team to ensure that the essential pieces are summarised and the audience is made aware of the same. Do ensure that violator management is a part of the policy so that the employees know the consequences of not abiding.