"I have a very strict gun control policy: if there's a gun around, I want to be in control of it."
Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks.
Information Security Policies are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim for effective implementation of any meaningful security actions.
Organizations need Security Policy, Standards and Procedures to enforce Information Security in a structured way.
Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.
Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.
A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.
INFORMATION SECURITY POLICIES PYRAMID
THE INFORMATION SECURITY POLICY FRAMEWORKEach document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead there should be several documents, that together form the concept of an Information Security Policy framework.
This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it.
Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begin from the top down.
POLICY - the Information Security Policy is a comprehensive statement made by the company's senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.
STANDARDS - are mandatory actions or rules. Standards help, support and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings and procedures throughout the company.
REMEMBER: Standards lower Total Cost of Ownership!
PROCEDURES – are detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel and other staff members dealing with specific tasks.
Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.
GUIDELINES describe the recommended actions and operating instructions for users, IT professionals and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.
BASELINES are uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.
HOW TO START
Practice shows that without top management's participation and visionary input, Information Security Policies Development is practically impossible.
Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.
No matter how talented and prepared the Information Security person you hire, they will not be able to effect the necessary changes.
Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sactioning for non-compliance - it is only effective when supervised and executed under an autocratic approach.