[BreachExchange] Best Practices for Implementing an IT/Cybersecurity Policy

[Audrey McNeil]

http://resources.infosecinstitute.com/best-practices-implementing-
itcybersecurity-policy/

An essential part of a company’s cybersecurity program is the creation and
implementation of a workplace security policy, a document that outlines all
plans in place to protect physical and information technology (IT) assets;
in fact, a policy includes a set of rules, instructions, and information
for companies’ end users and guests aiming at ensuring a highly secure,
reliable, and compliant digital environment. In addition, to give a
company’s staff a framework to keep the network secure, the scope of any
policies is also to raise awareness of the potential risks and shine a
light on possible vulnerabilities and how they can be corrected, so that
employees can be better equipped to prevent them.

It is clear, then, that devising a good security policy is crucial to an
organization’s success. Although templates are available and laws and
regulations mandate information to include, businesses should make sure to
devise a working document that takes into consideration the kind of work
the business carries out, the needs of the staff and the types of
cyber-related attacks that the organization may encounter.

Security policies – what should a well-written policy contain?

Before getting into the nuts and bolts of the allowed actions users can
take on the company network, it is essential that policy clearly states its
purpose. For employees to fully embrace the importance of the material
covered, it is essential, in fact, to explain the reasons for the policy
existence and, of course, under which authority it is implemented, the
regulations that sustain it and who was involved in its development. This
last point deserves some accurate planning on the part of the IT staff
tasked to prepare the document. It is critical, in fact, that to devise an
effective policy as many parties as possible within an organization are
involved and consulted, not just IT practitioners. Listening to the
concerns and operation requirements of each section is an important passage
in the writing of the policies that only in this way can answer to the
demands of the organization and serve its needs. A policy that is perceived
far from the reality of everyday work of each employee is a document that
fails at the start.

In addition to the legal basis and initial information contained in the
introductory statements, the first chapters should also include any
information on monitoring of communications while using company assets and
details on the expectation of privacy or lack of. The policy also needs to
identify what are critical assets and sensitive information. An
omni-comprehensive policy would be ideal but unrealistic, so it is
paramount to identify early in the process the minimum requirements to keep
the network safe, which resources and data are mandated to be defended from
attacks and prying eyes and which type of breach would cause the most
damage to the company assets and reputation.

The section that users pay more attention to, typically, is the one
containing all the chapters related to practical information such as
password requirements, hardware and software restrictions, and
classification of data. A good policy needs to address in detail any
operational details concerning all the devices employees might need to use
for their work, from specific hardware to mobile phones, laptops, tablets,
peripherals, etc.…, but also sites that can be accessed or that are
expressly prohibited. The document needs to be clear in what is an
allowable use of resources: personal use of assets, allowable e-mails,
information on uploading or downloading files or sharing documents, access
to social networks and regulations concerning streaming of videos and use
of chat systems. This is particularly important in companies that make full
use of a distributed workforce with employees tapping into the network from
remote locations or mobile devices or that even use personal devices
through BYOD (Bring Your Own Device) programs.

Once all guidelines and rules are spelled out, the policy also needs to
address in detail the particulars of the company incident program with
unambiguous information on what is considered to be an infraction or
violation and what are the possible consequences of each misuse of
resources. The document might refer to more in-depth policies and standard
operative procedures (documents that employees can consult for more
detailed information) and to the points of contact employees can turn to
when needing to have additional information or report issues.

A well-thought-out security policy

So far, we have seen what the basic elements that are normally included in
a security policy document are; however, merely preparing such a document
is not sufficient. To be effective for the protection of the company’s
digital asset, other aspects need to be considered.

First, the policy must be carefully devised and must strike the right
balance between business requirements and security needs. The use of the
internet for research, of social networks for communications and
relationship-building, as well as the possibility of tapping remotely into
company resources and working-on-the-go, are all realities of today’s
business environment; an overly-restrictive document that impairs the use
of these resources would be detrimental to the ability of staff to be
productive to the fullest. At the same time, however, it is important to
recognize what are the most common mistakes users make and how to better
protect the network from vulnerabilities and risks due to their actions.

Clarity is also one the main aspects to be considered. A great security
policy is ineffective if concepts are not explicitly stated in a language
that anybody, and not just IT geeks, can fully understand. Taking in due
consideration whom the audience allows for tailoring of the policy to the
real needs of the employees. A policy full of legalese, references to laws
and regulations as well as general references to security might satisfy
legal requirements but wouldn’t do much to guide staff to the correct,
safer use of resources. Unambiguous language, specific examples, clear
expectations and well-defined consequences for breaches and violations are
staples of a well-written policy. It is also important for this document to
be as concise as possible. Busy professionals often ignore a lengthy
succession of pages; therefore, it is always better to give quick and clear
guidelines and create, also, reference documents that address specific
issues.

Frequent revising is another important aspect. Policies need to be living
documents, often updated, yearly at the very least. This is essential to
make sure the guidelines are always in line with the demands of new
technologies and address issues that arise in the ever-changing IT
landscape. Continuously refreshing the document also conveys to the staff
its relevance and importance to the management.

The fourth important aspect of a well-thought-out policy is distribution.
The best policy is not at all effective if it is not read, known,
referenced. Making sure all personnel are aware of their responsibility and
rights when using company IT resources is important, and companies must
devise effective (and often creative) ways to make sure they are all aware
of the existence of specific regulations and policies. The first exposure
should be right at inprocessing with mechanisms that force employees to
read and acknowledge the IT security policy to access the systems.
Afterward, annual recertification (even through computer-based training, a
reality, for example, in many government departments), all-hands meetings
to present specific issues or updates, as well as tip-of the-day e-mails
and newsletters are all great ways to keep the topic current in the mind of
all employees with access to the network.

Management involvement is also essential. Executives that participate in
training or that discuss the importance of safe online behaviors are the
manifest of how important the topic is for the company and communicates to
employees that the safety of the digital assets is of paramount importance
and their protection is a critical component of their jobs.

Last, but obviously not least, are the need for compliance and reporting. A
good policy needs to address compliance to any regulations the company
needs to address. The organization, also, needs to be able to devise a
system of monitoring and reporting that shows how employees understand the
policy. Keeping track of metrics that can show the level of compliance with
IT security regulations, the level of understanding of such rules as well
as number of breaches can show how effective the security policy is and how
well the staff understands it. This is important to point out which areas
might be still unclear and should be addressed and which issues should be
tackled in future editions.

Policy Awareness

“A security policy is a company’s best weapon in defending against a
possible breach or helping to restore a network and information if a breach
has happened,” mentions Irfan Shakeel, InfoSec Institute Contributing
Writer. As mentioned, however, simply implementing a security policy does
not protect the company’s digital assets. The entire staff needs to be
sensitized on the topic and trained to recognize and respond at least to
the most common attacks to minimize the risk of personnel unintentionally
mishandling information or disseminating sensitive data to outsiders; this
requires additional training and awareness to build and maintain a secure
environment. “After all, your employees are the gatekeepers of your
company’s information, making them the first line of defense against
corporate account takeover,” tells Frank Sorrentino, CEO of ConnectOne Bank
and Forbes contributor.

An awareness program made of formal training, online resources, tips,
posters, and campaigns can point out for employees the most critical
concepts in the policy and help them focus on what is most relevant to
their role. Through case studies and examples taken from real life,
employees can relate to the material covered and see its importance in
their everyday activities.

Also, a good, multi-faceted security awareness program ensures personnel
fully understand the purpose behind an organizational policy to safeguard
data and encourages them to engage in individual and collective
responsibilities towards taking reasonable measures to mitigate losses
arising from a data breach. In fact, a security awareness program is not
only designed to educate users on the security policy of an organization,
but also in conveying it. That said, a policy is in place also to protect
employees and customers in addition to the organization.

Conclusion

A company-wide policy is a fundamental part of a company’s IT security
strategy only if it is developed through the input of all departments
within a company and not only addresses the responsibilities but also takes
into consideration the needs of the entire workforce. Although the skeleton
of security policies is often the same for businesses of any size, taking
the time to tailor the document to the specific needs of each organization
while continuously updating and making sure the entire workforce is well
aware of the information in the policy ensures true protection of saca
business digital environment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171102/c5972dbd/attachment.html>