After the security policy has been in place for some period of time, the company’s information security controls should be audited against the applicable policies. A review process should be developed that is appropriate to the procedures and resources of the company. Make sure that each policy is both A) being followed as per guidelines, and B) still appropriate to the companies situation.
Regularly review the security policy to ensure that it still meets your company’s requirements. Create a process so that the policy is periodically reviewed by the appropriate persons. This should occur both at certain intervals (i.e., once per year), and when certain business changes occur (i.e., the company opens a new location).
During reviews you will likely find that changes need to be made. Often, policy changes will be needed to accommodate changes in the company, security technology, or applicable regulations. Sometimes you will find that the policy is still appropriate for the company, but the users are no longer adhering to the policy. In this case, re-educating your users on the security policy is in order.
Regular policy review, along with taking actions dictated by the review, will ensure that the policy does not grow “stale” and will continue to be a useful management tool for years to come.
Tuesday, April 13, 2010
Tuesday, February 2, 2010
Security Policy Implementation
Once you’ve created your policy, you need to roll it out to your organization. Too many well-intentioned projects lose steam in this phase, so this step must be well planned and undertaken thoughtfully.
First, and perhaps most importantly, a security policy must be backed by your company’s senior management team. Without their support, the cooperation needed across departments will likely doom the implementation. Department heads must be involved, and specifically, Human Resources and Legal Services must play an integral part.
If the position doesn’t already exist, an Information Security Officer should be designated at your company who is responsible for implementing and managing the security policy. This is sometimes not practical at smaller companies, but regardless, one person, who has the authority to make executive decisions, needs to own and be accountable for your company’s security policy.
Remember that your security policy must be officially adopted as company policy. It should be signed off on and recorded in the same way your company makes any major decision, including full management approval.
Go through each policy and think about how it will be applied within the organization. Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that a certain network be monitored, make sure that monitoring capabilities exist on that network segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy.
User education is critical to a successful security policy implementation. A training session should be held to go over the specific policies that will impact users, as well as provide basic information security awareness training. Often, users create security issues because they simply don’t understand that what they are doing is risky or not permitted.
Users must be provided any user-level policies, and must acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this with Human Resources so that the policies can be included with any other HR documents that require a user signature.
No matter how well thought out, no policy will be 100% applicable for every scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing and must be well documented. It should be made clear from the outset that the policy is the official company standard, and an exception will only be granted when there is an overwhelming business need to do so.
First, and perhaps most importantly, a security policy must be backed by your company’s senior management team. Without their support, the cooperation needed across departments will likely doom the implementation. Department heads must be involved, and specifically, Human Resources and Legal Services must play an integral part.
If the position doesn’t already exist, an Information Security Officer should be designated at your company who is responsible for implementing and managing the security policy. This is sometimes not practical at smaller companies, but regardless, one person, who has the authority to make executive decisions, needs to own and be accountable for your company’s security policy.
Remember that your security policy must be officially adopted as company policy. It should be signed off on and recorded in the same way your company makes any major decision, including full management approval.
Go through each policy and think about how it will be applied within the organization. Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that a certain network be monitored, make sure that monitoring capabilities exist on that network segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy.
User education is critical to a successful security policy implementation. A training session should be held to go over the specific policies that will impact users, as well as provide basic information security awareness training. Often, users create security issues because they simply don’t understand that what they are doing is risky or not permitted.
Users must be provided any user-level policies, and must acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this with Human Resources so that the policies can be included with any other HR documents that require a user signature.
No matter how well thought out, no policy will be 100% applicable for every scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing and must be well documented. It should be made clear from the outset that the policy is the official company standard, and an exception will only be granted when there is an overwhelming business need to do so.
Friday, January 8, 2010
Guidelines on Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not to create hundreds of pages of impressive-looking information, but rather to create an actionable security plan. The following guidelines apply to the content of successful IT security policies.
A security policy should be no longer than is absolutely necessary. Some believe that policies are more impressive when they fill enormous binders, or contain hundreds or thousands of policies. In fact the sheer amount of information in those policies is what makes them useless. Brevity is of the utmost importance.
For more information visit www.InstantSecurityPolicy.com.
A security policy should be no longer than is absolutely necessary. Some believe that policies are more impressive when they fill enormous binders, or contain hundreds or thousands of policies. In fact the sheer amount of information in those policies is what makes them useless. Brevity is of the utmost importance.
- A security policy should be written in “plain English.” While, by nature, technical topics will be covered, it is important that the policy be clear and understood by the target audience for that particular policy. There is never room for “consultant-speak” in a security policy. If there is a doubt, the policy should be written so that more people can understand it rather than fewer.
- A security policy must be consistent with applicable laws and regulations. In some cases there are laws that apply to a company’s security practices, such as those covering encryption. Some states have specific disclosure laws and some industries have specific regulations. Research and become familiar with any regulations or laws that apply to your company’s security controls.
- A security policy should be reasonable. The point of this process is to create a policy that you can actually use rather than one that makes your company secure on paper but is impossible to implement. Find a middle ground in the balance between security and usability that will work for you.
- A security policy must be enforceable. A policy should clearly state what actions are permitted and what actions are in violation of the policy. Further, the policy should spell out enforcement options when non-compliance or violations are discovered.
For more information visit www.InstantSecurityPolicy.com.
Subscribe to:
Posts (Atom)