No circumstances should allow for operational deviation from security policies
Information Security Policies (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority. An ISP is governing the protection of information, which is one of the many assets a corporation needs to protect. Putting to work the logical arguments of rationalization, one could say that a policy can be as broad as the creators want it to be: Basically, everything from A to Z in terms of IT security, and even more. Characteristics of good security policies include conciseness, readability, actionability, enforceability, and flexibility. Policies are short and to the point in conveying principles that guide activity within the organization. Policies contain a minimum of specialized vernacular and acronyms; clearly explain any industry-specific terms. Employees at all levels will read the security policies to discern how they should act in the best interest of the organization; therefore, the policy should be actionable at every level of executive strategic planning, management of operations, and actual performance of tasks. The policy must allow for determination of compliance with the policy and enforcement of noncompliance. Moreover, policies should potentially apply to the organization for years and not become outdated with the end of life of any product supporting the policy. Any mention of specific product use is in a standard, not a policy. Explanations on how to use products are in procedures, not in policy. Review your information security policies on a regular basis, with no more than 12 months from the last review. Define trigger events for a policy review. The first trigger event is the last review plus 12 months. Other trigger events may include a change in the business environment, like a merger, acquisition, or new business venture. Certainly, new legislation or regulatory reform will prompt policy review. Include a statement of review/revision trigger events in the information security policy. A key question is why capture all this detail in written documentation. Just like a contract, written documentation ensures a meeting of the minds. The organization is working off a common understanding of the expectations (e.g., the SMF interpretation guide) and a common understanding of terms (e.g., organization-specific security glossary or risk management glossary). Moreover, the key point is for the organization to capture the policy, standards, procedures, interpretations, and definitions that ensure these details are not just in the minds of a few individuals. It is possible to have excellent security practices in organizations that do not have a single written procedure. Although the practice is good, it is only as good and as enduring as the individual that practices it. The loss of that individual through retirement, resignation, or being hit by the proverbial bus implies a loss (or at least a degradation) of that excellent practice to the organization. Documentation captures knowledge and promotes the learning organization, where proven good practice by one becomes good practice available to all. Out of carelessness mostly, many organizations without giving much thought choose to download IT policy samples from a website and copy/paste this ready-made material in an attempt to readjust somehow their objectives and policy goals to a mold that is usually crude and has to broad-spectrum protection. Understandably, if the fit is not quite right, the dress would eventually slip off. A high-grade ISP can make the difference between a growing business and a successful one. Improved efficiency, increased productivity, clarity of the objectives each entity has, understanding what IT and data should be secured and why identifying the type and levels of security required, and defining the applicable information security best practices are enough reasons to back up this statement. To put a period to this topic in simple terms, let’s say that if you want to lead a prosperous company in today’s digital era, you certainly need to have a good information security policy. The initial process in developing an information security policy is to identify which laws, regulations, and information security drivers are applicable to your organization.
A. 5.1.1 Policies for information securityControlInformation security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. PurposeTo ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements. ISO 27002 GuidelinesAt the highest level, the organization should define an “information security policy” which is approved by top management and which sets out the organization’s approach to managing its information security. The information security policy should take into consideration requirements derived from:
The information security policy should contain statements concerning:
Top management should approve any changes to the information security policy. At a lower level, the information security policy should be supported by topic-specific policies as needed, to further mandate the implementation of information security controls. Topic-specific policies are typically structured to address the needs of certain target groups within an organization or to cover certain security areas. Topic-specific policies should be aligned with and complementary to the information security policy of the organization.
The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization’s information security policy and topic-specific policies and managing information security in response to changes to:
The review of information security policy and topic-specific policies should take the results of management reviews and audits into account. Review and update of other related policies should be considered when one policy is changed to maintain consistency. The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization’s needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others. Differences between information security policy and topic-specific policyInformation security policy Level of detail: General or high-level Documented and formally approved by: Top Management Topic-specific policy Level of detail: Specific and detailed Documented and formally approved by: Appropriate level of management Topic-specific policies can vary across organizations. A Formal Approach to establish policyThe adoption of one or more information security policies is the first step that the organization takes to express its commitment to the protection of their information resources and the information entrusted to them by their and partners. The policy statement should clearly communicate the organization’s beliefs, goals, and objectives for information security. Difference between Policy standard, Guidelines, Procedure, and checklist.What’s in a name? We frequently hear people use the names “policy”, “standard”, and “guideline” to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we’ll use the following definitions.
Some organization has developed a “policy on policies” that provide an organizational statement and set of procedures about how policies are formatted, who develops them, and how they get approved. The benefit of a formal approach is that it makes policy development consistent and recognizes policy development and policy approval authorities. The formal approach can contain the following stages: 1) identify issues, 2) conduct analysis, 3) draft language, 4) get approvals, 5) determine distribution/education, 6) solicit evaluation and review, and 7) plan measurement and compliance. Stages 1 and 2 are considered “pre-development”. Stages 3-5 are part of “development”. Stages 6 and 7 are “maintenance”. Policy ElementsIf the goal of organizational policies is to direct individual behavior and guide organizational decisions, then the effectiveness of formal policy statements will depend upon their readability and usefulness. Many organization suffers from the lack of a common and consistent approach or format to writing organizational policies. The outline below suggests some common elements that should be included in any security policies.
If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an organization regarding the use and safeguarding of the organizational information resources. The policy statement should clearly communicate the institution’s beliefs, goals, and objectives for information security.
Also, the information security policy should:
A careful balance must be reached to ensure that the policy enhances organizational security by providing enough detail that community members understand their expected role and contribution but not so much detail that the organization is exposed to unnecessary risk. Policies for Information SecurityThere are a number of methods that can be used as a foundation for an organization’s information security policy framework. Choosing the right policy framework is all about what will work best for the organization and its missions. The organization should consider the following when selecting a framework for its information security policy:
It is important to keep in mind that one of the main goals of an information security policy is to issue directives. The difficult part is deciding on the appropriate level of control to exert. The appropriate level should be informed by the following facts:
Organizational DriversSince most information security practitioners would agree that it is impossible to protect everything the same way all the time, organizations should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the organization’s priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
Review of Information Security PolicyMost organizations will have a documented periodic policy review process in place (e.g., annually) to ensure that policies are kept up to date and relevant. In some cases, a policy manager would be the individual who would determine the need for a new policy or the update to an existing policy. In a small organization, the role of policy manager may be played by the Business Owner (e.g., the Chief Information Security Officer may be the owner/manager of the information security policy.) Policy Review and Update DriversThe information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution’s information security policy.
Policy Review and Update ProcessThe process to review and update the information security policy should include the following steps:
Example of Information security policy Information security policyIntroduction[ORGANISATION]’s computer and information systems underpin all [ORGANISATION]’s activities, and are essential to [ENTER MAIN BUSINESS/FUNCTIONAL OBJECTIVES HERE].The [ORGANISATION] recognizes the need for its members, employees, and visitors to have access to the information they require in order to carry out their work and recognizes the role of information security in enabling this. Security of information must, therefore, be an integral part of the [ORGANISATION]’s management structure in order to maintain continuity of its business, legal compliance and adhere to the University’s own regulations and policies. Purpose This information security policy defines the framework within which information security will be managed across the [ORGANISATION] and demonstrates management direction and support for information security throughout the [ORGANISATION]. This policy is the primary policy under which all other technical and security related policies reside. [ENTER ANNEX LINK HERE] provides a list of all other policies and procedures that support this policy. ScopeThis policy is applicable to and will be communicated to [EXAMPLE: all staff, customer and other relevant parties including senior and junior members, employees, visitors, and contractors]. It covers but is not limited to, any systems or data attached to the [ORGANISATION]’s computer or telephone networks, any systems supplied by the [ORGANISATION], any communications sent to or from the [ORGANISATION] and any data – which is owned either by the University or the [ORGANISATION] – held on systems external to the [ORGANISATION]’s network. Organisation of information securityThe [HEAD OF DEPARTMENT] is ultimately responsible for the maintenance of this policy and for compliance within the [ORGANISATION]. This policy has been approved by [SENIOR MANAGEMENT GROUP] and forms part of its policies and procedures. [SENIOR MANAGEMENT GROUP] are responsible for reviewing this policy on an annual basis. They will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing. The [INFORMATION SECURITY ROLE] is responsible for the management of information security and, specifically, to provide advice and guidance on the implementation of this policy. [OPTIONAL DEPENDING ON ORGANISATION SIZE] The [INFORMATION SECURITY ADVISORY GROUP] comprising representatives from all relevant sections of the [DEPARTMENT/ OTHER UNIT] is responsible for identifying and assessing security requirements and risks. It is the responsibility of all line managers to implement this policy within their area of responsibility and to ensure that all staff for which they are responsible are 1) made fully aware of the policy, and 2) given appropriate support and resources to comply. It is the responsibility of each member of staff to adhere to this policy. Policy Statement The [ORGANISATION] is committed to protecting the security of its information and information systems. It is also committed to a policy of education, training, and awareness for information security and to ensuring the continued business of the [DEPARTMENT/ other units]. It is the [ORGANISATION]’s policy that the information it manages shall be appropriately secured to protect against breaches of confidentiality, failures of integrity or interruptions to the availability of that information and to ensure appropriate legal, regulatory and contractual compliance. To determine the appropriate level of security control that should be applied to information systems, a process of risk assessment shall be carried out in order to define security requirements and identify the probability and impact of security breaches. Specialist advice on information security shall be made available throughout the [DEPARTMENT/OTHER UNIT] and advice can be sought via the Organization’s Information Security Team [ADD URL] and/or [ADD ADDITIONAL URLS, if required]. It is the [UNIT NAME]’s policy to report all information or IT security incidents or other suspected breaches of this policy. The [UNIT NAME] will follow the Organization’s advice for the escalation and reporting of security incidents and data breaches that involve personal data will subsequently be reported to the Organization’s Data Protection Officer. Records of the number of security breaches and their type should be kept and reported on a regular basis to the [SENIOR MANAGEMENT GROUP/INFORMATION SECURITY ROLE]. Failure to comply with this policy that occurs as a result of deliberate, malicious or negligent behaviour, may result in disciplinary action. Back to Home PageIf you need assistance or have any doubt and need to ask any questions contact me at [email protected]. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome. |