What Are IT Security Policies?

What Are IT Security Policies?

So you’ve been tasked with creating a new set of IT Security Policies for your company, but what exactly goes into a policy? What are policies used for? Why do I need them? These are all great questions and hopefully we can provide some answers.

What is in an IT Security Policy?

IT Security Policies are written documents which outline the standards your company will use protect its data, employees, and customers. Policies will outline the operation and security requirements that employees must meet when working with data, setting up new technologies or writing new software. Think of them as an IT version of a Constitution, written to outline things which are required and things you are not allowed to do.

What is in a Policy Name?

IT Security Policy, Information Security Policy, Technology Security Policy, IT Policy Set, Security Policies; What’s with all the names? In common practice, these terms are all describing the same thing, a set of written policies which define security standards at a company. Policies can be organized several different ways such as a single large document containing multiple policies as sections or paragraphs, or as a single document per policy. Some policy sets, such as FISMA/FedRAMP policies may be grouped by control family, with several related policies grouped into a single document, and a full policy set containing 20 policy documents, one per control family.

We recommend organizing policies by which ever method is easiest to maintain and keep up to date. If your policy set is built to help enforce PCI-DSS requirements, organizing the policies around the 12 PCI control families probably makes most sense. If you are a HIPAA centric organization, grouping one policy around each HIPAA control might make more sense. Policy sets should be living documents used for reference and should be easily maintainable and readable.

What Goes Into a Policy?

Security Policies are usually written at a high level, outlining technical requirements, or required processes and should get bogged down in individual technologies or specific software. For example, a policy outlining requirements for data backups should specify items such as the required backup frequency, recovery point objectives and recovery time objectives, but probably shouldn’t get into which software to use for backups or specific machines to be backed up. (Those will come later in a documented Backup Plan).

Why Do I Need Security Policies?

Policies help define the technology and security rules of a company and give everyone a common goal to work towards with security processes. Without these defined policies, ensuring that all systems and processes are equally secured would be nearly impossible.

Imagine an IT environment where one group is backing up a critical database every 12 hours and storing copies for 6 months. In the same company another group is only backing up their systems weekly, and only storing 2 weeks of backups. If an issue were to arise which requires restoration efforts of previous data, having two radically different backup policies can easily wreak havoc during restoration efforts.

By standardizing a companywide IT policy which defines that all critical systems must be backed up every 12 hours and copies stored for 6 months, you can easily ensure every department and system plays by the same rules, significantly simplifying configuration standards and reducing manpower needed to ensure security.

So How Do I Write an IT Security Policy?

Start by identifying your requirements, any applicable laws or rules your company must follow. If your company is a healthcare organization, your policies will be focused on meeting the requirements of HIPAA. If your company processes high credit card volume, the latest PCI-DSS standard will be your starting point. For companies who don’t have specific requirements, utilizing a neutral standard such as NIST 800-171, CIS v8 or ISO 27001 may be a useful starting point.

Once you have defined the requirements for your security policies, defining the organization of the policy set will be critical to its creation and ongoing maintenance. Find a structure which is easy to understand, such as a single document for each control family or grouping. Once each policy is defined, begin defining the content of the policy as an outline of what each policy will cover. If your requirements have individual controls, such as SOC 2 or ISO 27001, breach out each control and write a policy statement that will satisfy each control.

Keep your language simple, no need to act like a lawyer, policies should be written in very plain language and should be easily readable and understandable by any future readers. Remember, policies are usable documents which help your employees select, install, configure, and manage your day-to-day technology. Keep them usable.

Writing policies can be a labor intensive and difficult task. Writing comprehensive IT Security Policies from scratch can take months or years. Defining complete outlines of what your policy goals are and then working to build out complete policies from those definitions will help speed the process.

Can I Just Download IT Security Policy Templates?

There are plenty of websites which offer basic policy templates. While templates may give you enough documentation to “Check the box” during an Information Security Audit, they won’t provide you any real value or help your company improve its security. Policies are critical documents to define standards that match your company, and to give your employees written, easily usable standards to use while they perform their jobs. IT Security Policies are also critical to ensuring protection of data for legal requirements, such as HIPAA, California Consumer Privacy Act, CMMC 2.0, or compliance purposes such as PCI-DSS, ISO 27001, SOC 2, or even financial reasons such a requirement for cyber security insurance coverage. Ensuring that your policies match your company, and that your company is actually meeting your own defined policies is critical to your security.

Need guidance or help writing a policy set for your company?

Adsero Security can help. We offer a full range of IT Policy Creation, Assessment & Management services to help you update existing policies or build new policies.