IT Security Policies

Let’s Talk Policy

IT security policies are pivotal in the success of any organization. They are the backbone of all procedures and must align with the business’s principal mission and commitment to security. They define what personnel has responsibility of what information within the company. IT security policies shape organizations’ preparedness and response to security incidents. Information security relies on well- documented policies that are acknowledged and followed by all members of an organization.

According to the SANS Institute, an organization’s security policy sets the standard for the way in which critical business information and systems will be protected from both internal and external threats. It is important that these policies and procedures are updated in relation to their annual Security Risk Assessment.

Having comprehensive security policies provides several benefits for the company. Policies can help improve an organization’s overall security posture. There are fewer security incidents involving the company and employees can reference policies for responding to these incidents. Having a comprehensive IT security policy set also helps prepare companies for an audit, which ensures proper compliance with regulations. Additionally, it increases accountability for both users and stakeholders within an organization, which can be beneficial for both the company regarding legal and business aspects.

 

What is in a policy?

IT security policies should always include the purpose, scope, policy, and procedures, if they are not listed on a separate document. They should outline rules for user and IT personnel behavior, while also identifying consequences for not adhering to them. IT Security Policies should define the main risks within the organization and provide guidelines on how to reduce these risks. Policies should be customized based on the organization’s valuable assets and biggest risks.

The most important policies apply to all users of the organization’s information systems. These policies protect the confidentiality, integrity, and availability of systems and data. While policies can be altered, shortened, or combined with others, the following policies should be implemented in all organizations.

 

So which policies do I need to have? 

Acceptable Use Policy

The Acceptable Use Policy (AUP) outlines the acceptable use of computer equipment. It is used for business purposes in serving the interests of the company, clients, and customers in the course of normal operations. The AUP defines inappropriate use of information systems and the risk that it may cause. Improper behavior may compromise the network system and may result in legal consequences. An example of inappropriate use is when an employee accesses data through a company computer for reasons other than doing his or her job. The AUP includes general use, appropriate behavior when handling proprietary or sensitive information, and unacceptable use.

 

Security Awareness and Training Policy

Security awareness training should be administered to all workforce members, so they can properly carry out their functions while appropriately safeguarding company information. Employees must sign a confidentiality agreement and provide proof of completion when they have finished the training. Management should design the training to educate users on the security policy of the organization.

Goals for the security awareness and training policy should include education about the security policy and help develop an understanding on how the policy protects the business, employees, and customers. The policy must also highlight personnel that is responsible for creating and maintaining the training. This personnel must learn to recognize changes in technology that impact security and the organization.

Pertaining to all users, the policy should include points on maintaining workstations, email and internet access policies, and employee responsibility for computer security. Key parts of security awareness training includes identifying social engineering tactics, limiting system downtime, and protecting critical business information.

 

Change Management Policy

An organization’s change management policy ensures that changes to an information system are managed, approved, and tracked. The organization must make sure that all changes are made in a thoughtful way that minimizes negative impact to services and customers. The change management policy includes methods on planning, evaluation, review, approval, communication, implementation, documentation, and post change review. Change management relies on accurate and timely documentation, continuous oversight, and a formal and defined approval process. The change management policy covers SDLC, hardware, software, database, and application changes to system configurations including moves, adds, and deletes.

 

Incident Response Policy

The incident response policy is part of an organization’s Business Continuity Plan. It outlines an organization’s response to an information security incident. The incident response policy should be documented separately from the Disaster Recovery Plan, as it focuses on procedures following a breach of data or other security incident.

The policy should include information about the incident response team, personnel responsible for testing to the policy, the role of each team member, and actions, means, and resources used to identify and recover compromised data. Phases of incident response include:

• Preparation
• Identification
• Containment
• Eradication
• Recover
• Post- Incident

The incident response policy also needs to identify the incident response team and information about the system such as network and data flow diagrams, hardware inventory, and logging data. Incident handling procedures should be detailed in the policy. One of the most crucial aspects of this policy is educating users on who to report to in the case of a data breach or other security incident. Management should always assess and monitor performance, ensure cooperation between staff, and regularly test the incident response plan.

 

Remote Access Policy

Remote access involves connecting to the company’s network from any host. The remote access policy is designed to minimize potential exposure from damages that may result from unauthorized use of resources. This policy should be directed to all employees and should include provisions for sending or receiving emails and intranet resources. The policy should also include requirements for VPN access and disk encryption.

Requirements for remote access should be similar to requirements for onsite access. For example, employees should not engage in illegal activity on their remote access and should also not allow unauthorized users to use their work device. The policy should also enforce strong passphrases, logging off when leaving their device alone, and refraining from connecting to other networks at the same time they are connected to the internal one. They should also require users to ensure that they are using the most up to date antimalware software and operating systems.

 

Vendor Management Policy

The vendor management policy validates a vendor’s compliance and information security abilities. The policy should address the process to acquire vendors and how to manage all of a company’s vendors. The organization should assess the business associate’s ability to create, receive, maintain, or transmit confidential data on behalf of the company. The company should trust that the third party vendor will appropriately safeguard the information that it is given. It is critical that the organization keeps a list of their vendors that is tiered based on risks, contacts for the vendors, and legal consequences if data is ever breached. Another necessary step is to create internal response plans for each vendor in the event of a failure.

Consider the following points when choosing a vendor:

• Are they SOC 2 compliant? What other frameworks do they abide by?
• What does their SLA look like?
• Do they undergo annual security risk assessments?
• What actions do they take if their product fails?
• What access to our network will they need?

The policy should cover procedures for selecting a vendor, risk management, due diligence, contractual standards, and reporting and ongoing monitoring. Additionally, the policy should address the relationship to other areas of the risk management and compliance management practices.

 

Password Creation and Management Policy

The password creation and management policy provides guidance on developing, implementing, and reviewing a documented process for appropriately creating, changing, and safeguarding strong and secure passwords used to verify user identities and obtain access for company systems or information. The policy should touch on training and awareness as to why it is so important to choose a strong password. It should include rules for changing temporary passwords and risks of reusing old passwords.

The policy should also include specific password complexity and length requirements. It should educate users on risk using an easy word or including personal information in the password. The policy should also identify any exceptions, such as apps or other information systems, that use different password requirements. It should mention password log outs and maximum retry attempts and outline procedures for logging all unsuccessful login attempts.

 

Network Security Policy

A complete network security policy ensures the confidentiality, integrity, and availability of data on company’s systems by following a specific procedure for conducting information system and network activity review on a periodic basis. The policy ensures that systems have appropriate hardware, software, or procedural auditing mechanisms. Audit events include failed log in attempts, information start up or shut down, and the use of privileged accounts. Other logging items include anomalies in the firewalls, activity over routers and switches, and devices added or removed from the network. Organizations should log details of the activity such as date, time, and origin of the activity.

The policy must state applicable actions taken during an auditable event and who is responsible for what. For example, IT will fix a problem and then report to the ISO. This process should be clearly identified in the policy.

The Network Security policy may branch out into other policies depending on a company’s infrastructure. Additional policies may include Bluetooth baseline requirements policy, router and switch security policy, and wireless communication policy and standard. All of these policies should incorporate rules and behaviors when accessing the network.

 

Access Authorization, Modification, and Identity Access Management

Using access authorization requires organizations to implement the Prinicple of Least Privilege (PoLP). This is the idea that users and systems should only be given access to information needed to complete their job. The organization should create and document a process for establishing, documenting, revieweing, and modifying access to systems and sensitive information. This process usually involves HR and IT, who allow access upon hiring and termination. Access must be granted based on valid access authorization, intended system usage, and other attributes required by organizations. An access authorization and modification map should be created in accordance with the access authorization policy and password management policy. HR and IT must consider group membership, special privileges, temporary or guest accounts, and shared users. These policies and procedures must be updated regularly as they are critical in data privacy.

 

Data Retention Policy

The data retention policy specifies the types of data the business must retain and for how long. The policy also states how the data will be stored and destroyed. This policy will help to remove outdated and duplicated data and creating more storage space. A data retention policy will also help organize data so it can be used at a later date. Types of data includes documents, customer records, transactional information, email messages, and contracts. This policy is essential to businesses that store sensitive information. Organizations should reference regulatory standards for their data retention requirements.

 

 

Other Important Policies to Consider

So you’ve got the Top 10 Important Policies implemented, but here are few more we highly recommend you review and consider adding to your policy set.

• Mobile Device Management (MDM) Policy and Procedures
• Bring Your Own Device (BYOD)
• Encryption and Decryption Policy
• SPAM Protection Policies
• HR Policy Set
• System Maintenance Policy
• Vulnerability Management Policy

 

Tips for Writing an Effective Policy
Writing policies can be a daunting task. Here are a few tips to help get you started:

1. Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
2. Determine the scope of the policy including who the policy will address and what assets will be covered.
3. Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
4. Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.