By Albert Fruz
Organizations are giving more priority to development of information security policies, as protecting their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec policies can lead to catastrophic damages which cannot be recovered. So an organization makes different strategies in implementing a security policy successfully. An information security policy provides management direction and support for information security across the organization.
Information in an organization will be both electronic and hard copy, and this information needs to be secured properly against the consequences of breaches of confidentiality, integrity and availability. Proper security measures need to be implemented to control and secure information from unauthorized changes, deletions and disclosures. To find the level of security measures that need to be applied, a risk assessment is mandatory.
Security policies are intended to define what is expected from employees within an organization with respect to information systems. The objective is to guide or control the use of systems to reduce the risk to information assets. It also gives the staff who are dealing with information systems an acceptable use policy, explaining what is allowed and what not. Security policies of all companies are not same, but the key motive behind them is to protect assets. Security policies are tailored to the specific mission goals. Now let’s walk on to the process of implementing security policies in an organization for the first time.
Get Management Support
The crucial component for the success of writing an information security policy is gaining management support. Management will study the need of information security policies and assign a budget to implement security policies. Time, money, and resource mobilization are some factors that are discussed in this level. It is the role of the presenter to make the management understand the benefits and gains achieved through implementing these security policies.
Now we need to know our information systems and write policies accordingly. Whenever information security policies are developed, a security analyst will copy the policies from another organization, with a few differences. Ideally it should be the case that an analyst will research and write policies specific to the organization. This will increase the knowledge of how our infrastructure is structured, internal traffic flow, point of contact for different IT infrastructures, etc. Security policies need to be properly documented, as a good understandable security policy is very easy to implement. It should also be available to individuals responsible for implementing the policies.
So while writing policies, it is obligatory to know the exact requirements. We also need to consider all the regulations that are applicable to the industry, like (GLBA,ISO 27001,SOX,HIPAA). Management also need to be aware of the penalties that one should pay if any non-conformities are found out.
A policy should contain:
- Overview – Background information of what issue the policy addresses.
- Purpose – Why the policy is created.
- Scope – To what areas this policy covers.
- Targeted Audience – Tells to whom the policy is applicable.
- Policy – A good description of the policy.
- Definitions – A brief introduction of the technical jargon used inside the policy.
- Version – A version number to control the changes made to the document.
Once the information security policy is written to cover the rules, all employees should adhere to it while sending email, accessing VOIP, browsing the Internet, and accessing confidential data in a system. These policies need to be implemented across the organization, however IT assets that impact our business the most need to be considered first. By implementing security policies, an organization will get greater outputs at a lower cost. Policies can be enforced by implementing security controls.
Once the security policy is implemented, it will be a part of day-to-day business activities. Security policies that are implemented need to be reviewed whenever there is an organizational change. Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of security policies can be seriously dealt with. There should also be a mechanism to report any violations to the policy. Employees often fear to raise violations directly, but a proper mechanism will bring problems to stakeholders immediately rather than when it is too late.
It is also mandatory to update the policy based upon the environmental changes that an organization goes into when it progresses. The policy updates also need to be communicated with all employees as well as the person who authorized to monitor policy violations, as they may flag for some scenarios which have been ignored by the organization. Management is responsible for establishing controls and should regularly review the status of controls. Below is a list of some of the security policies that an organization may have:
|Access Control Policy||How information is accessed|
|Contingency Planning Policy||How availability of data is made online 24/7|
|Data Classification Policy||How data are classified|
|Change Control Policy||How changes are made to directories or the file server|
|Wireless Policy||How wireless infrastructure devices need to be configured|
|Incident Response Policy||How incidents are reported and investigated|
|Termination of Access Policy||How employees are terminated|
|Backup Policy||How data are backed up|
|Virus Policy||How virus infections need to be dealt with|
|Retention Policy||How data can be stored|
|Physical Access Policy||How access to the physical area is obtained|
|Security Awareness Policy||How security awareness are carried out|
|Audit Trail Policy||How audit trails are analyzed|
|Firewall Policy||How firewalls are named, configured etc|
|Network Security Policy||How network systems can be secured|
|Encryption Policy||How datas are encrypted, the encryption method used, etc.|
While developing these policies it is obligatory to make them as simple as possible, because complex policies are less secure than simple systems. Security policies can be modified at a later time; that is not to say that you can create a violent policy now and a perfect policy can be developed some time later.
Acceptable usage policy
Acceptable usage policy (AUP) is the policies that one should adhere to while accessing the network. Some of the assets that these policies cover are mobile, wireless, desktop, laptop and tablet computers, email, servers, Internet, etc. For each asset we need to look at how we can protect it, manage it, who is authorized to use and administer the asset, what are the accepted methods of communication in these assets, etc.
A template for AUP is published in SANS http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf and a security analyst will get an idea of how an AUP actually looks. Some of the regulatory compliances mandate that a user should accept the AUP before getting access to network devices. Implementing these controls makes the organization a bit more risk-free, even though it is very costly. A few are:
- The PCI Data Security Standard (PCIDSS)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
- The ISO family of security standards
- The Graham-Leach-Bliley Act (GLBA)
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws, which should be incorporated in security policies. One example is the use of encryption to create a secure channel between two entities. Some encryption algorithms and their levels (128,192) will not be allowed by the government for a standard use. Legal experts need to be consulted if you want to know what level of encryption is allowed in an area. This would become a challenge if security policies are derived for a big organization spread across the globe.
Security policies can be developed easily depending on how big your organization is. But the challenge is how to implement these policies by saving time and money. If a good security policy is derived and implemented, then the organization’s management can relax and enter into a world which is risk-free.
Albert Fruz has five years experience in the information security field, encompassing SIEM, malware analysis, investigating security incidents, ISO 2700` audits and hardening of various devices. He has also carried out rule-based auditing for firewall forensics as well as PCI dss audits.