Taking risks is something we do every single minute, sometimes without even realizing it. A risk may be something as little as talking to somebody, let alone major decision-making or something life-defining. Taking risks also relates heavily to IT security, therefore a countermeasure is required – a policy.
Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organizations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.
Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.
THE RULES OF POLICIES DEVELOPMENT
Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.
A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with the policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.
Policy – Information Security Policy is a comprehensive statement made by the company’s senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.
Standards – mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.
Procedures – detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.
Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.
Guidelines – describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.
Baselines – uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.
THE INFORMATION SECURITY POLICY FRAMEWORK
Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead, there should be several documents, that together form the concept of an Information Security Policy framework.
This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it. Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begins from the top down.
HOW TO START with the development of policies
Practice shows that without top management’s participation and visionary input, Information Security Policies Development is practically impossible.
Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.
No matter how talented and prepared the Information Security person you hire, they will not be able to affect the necessary changes.
Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sanctioning for non-compliance – it is only effective when supervised and executed under an autocratic approach.