How to write your company's it security policy it-toolkits

2/29/2016 How to write your company's IT securitypolicy- IT-Toolkits.org
http://it-toolkits.org/blog/?p=437 1/4
How to write your company's IT security policy - IT-
Toolkits.org
If my consultancy conversations usually start with “so, you think your business is secure?”, they
invariably end with a response of “so, what can we do about it then?”. This is where I really confuse
them by not immediately talking about solutions and software, but instead about best practices,
education and policy.
Formal information-security policies are often seen as the sole territory of larger enterprises, but this
couldn’t be further from the truth. Every business – no matter how small – can benefit from
implementing such a policy. The benefit runs much deeper than merely having a formal document: it
really comes from the process of thinking about what data security means to your business, and
creating a written, structured response to those needs. This process of thinking about security – and I
mean really thinking about it, from top to bottom – is always an eye-opener for the team involved.
Every business – no matter how small – can benefit from implementing such a policy
Even for those businesses at the smallest end of the SME scale, which are often only one bloke and
his dog, this will be a team process. I’d never consider taking on a policy-creation job all by myself.
This may not raise your opinion of how consultants work, but the bare truth is that unless policy
creation involves those working at the coalface of the business, it’s totally pointless. The reason I can
make such a sweeping statement can be best explained by making you understand what actually
constitutes a security policy.
Strip it right back to its basics, and an information-security policy can be defined as a commitment to
protect all the data that a firm creates and uses. Start fleshing out this simple definition, and the all-
encompassing desire for data defence becomes your guide to exactly how the levels of required
protection can be both achieved and maintained.
Leaving this to a third party – or even delegating responsibility on a departmental basis – is security
suicide: your IT bods (assuming you have such a luxury) may produce a technical draft, which is given
a jargon-vacuuming by the personnel department, before finally being rendered totally
incomprehensible by the legal department. A sustainable and effective security policy has to be
written from the ground up, with input from the top down.

Depending upon the size of your organisation, this could mean the sole proprietor meets with an
outside consultant, or the board of directors works with the IT department, personnel, legal and the
shop floor. The main point is that everyone must be represented, so your entire business is included;
and that all foreseeable risks to the company’s data are mitigated as far as possible as a result.
Practical policy
One of the problems when talking about a security policy lies in ensuring that The Powers That Be
truly understand that it should be – indeed must be – something practical and useful at a business
level. This is especially true for small businesses, where information security is often regarded as an
inconvenient interference with day-to-day work, rather than an integral part of the business process.
An information-security policy – as with an acceptable-use policy or even a contract of employment –
is useless if it’s merely signed and consigned to a filing cabinet until after a breach has occurred.
I’ve heard IT security consultants talk about a policy document as being a “living, breathing, part of
the business”. Frankly, this is a step too far for me and most of the folk I work with. I prefer to think of
it as a written information-security programme (WISP). In other words, it isn’t a bunch of boring files,
but a collection of policy documents, along with the steps that need to be taken in order to enforce the
policies they contain.
Some state governments in the US have even gone so far as to include this WISP requirement within
their information-security legislation: Massachusetts, for example, requires every person who “owns or
licenses personal information” to “develop, implement, and maintain a comprehensive information-
security programme that is written in one or more readily accessible parts”, and which contains
administrative, technical and physical safeguards.
I’ve started using this WISP definition as my take-off point when talking to a business about building a
meaningful policy. I place that “readily accessible parts” phrase at front and centre of any initial policy-
creation meetings. It’s crucial that everyone understands that “readily accessible” means accessible
to all employees; this in turn means that suitable training and educational courses are available to
them all.
If this is starting to sound expensive, then you’re missing the point. Of course there’s a cost attached
to creating a policy, in terms of consultancy time as well as implementation. However, that cost must
be balanced against the risk of not having a policy – which is likely to result in a broader “attack
surface” – and to the expenses to the business when the inevitable breach occurs.
Mere mention of the T word (training) usually elicits groans from whoever has control of the security
budget. However, as far as information policy is concerned, this can be as simple as sitting with an
employee in a room for an hour and explaining how the policy applies to their particular role, and
answering any questions they may have as a result. It doesn’t have to mean dragging in a third-party
company. In my experience, training sessions that are conducted in-house by work colleagues have
vastly greater benefits when it comes to security policy.
You should always include a section detailing your incident-response strategy

I know you’re probably hoping that I’m about to provide you with the magic ingredients for a one-size-
fits-all information-security policy, a kind of WISP template for every business. Prepare to be
disappointed, dear reader, since I can’t do this – for reasons that are so obvious I’m not going to
waste my time typing them up. However, what I can do is point you in the right direction and give you
some food for thought.
Think in terms of allocating accountability, and understanding the roles and responsibilities of staff
within categories of management, “key staff” and everyone else. Creating formal accountability and
defining these roles helps to focus attention on the classes and value of data within the business, and
also to manage expectations about who is to do what and when.
Once you know what data you have and what value it has to your organisation, and you’ve defined
specific security responsibilities among your staff, it’s relatively easy to start determining in a real-
world way who should be allowed to access, modify and distribute that data. Equally important are the
particular policies you apply to network services, including cloud provision and remote access
(including BYOD), as well as the more mundane internal network provisioning. Don’t forget the system
basics as far as mission-critical OS and server configurations are concerned, which should include
account and password management along with your intrusion-
detection processes.
Then there’s the small matter of how you handle things if the worst does happen: you should always
include a section detailing your incident-response strategy. This needs to be a hands-on and step-by-
step description of how to delegate responsibilities, and must specify the procedures to follow if a
breach occurs: everything should be given thought, from locking down systems and evaluating
damage upon discovery of a breach, to post-breach notifications and forensic. Oh, and the need for
training and education needs to be explicitly spelled out within your policy document, along with what’s
expected of all staff from top to bottom in terms of acceptable and unacceptable behaviours.
Physical security
Remember to account for physical security within your policy documents: it’s easy to overlook, which
is probably why it’s so often missed out of information-security policies (doh!). You know, stuff such as
who has access to your office, your servers, your laptop, your smartphone, your USB thumbdrives
and the rest, and how you physically secure these things. Finally, don’t get caught up in the kind of
self-examination that leads many people to start asking whether this is a policy, a guide or a standard.
If you’ve truly understood the concept of WISP that I spoke about earlier, then you should appreciate
that in effect it’s all three.
That’s about as far as I can go, other than to say that the best advice I can offer the small-business
owner on effective policy creation is that knowing what you don’t know is just as important (if not more)
than knowing what you do know. Computers and the internet didn’t exist when Sun Tzu, author of The
Art of War, was living around 2,500 years ago, but some of his principles still apply to today’s
information battlefield: “If you know the enemy and you know yourself, your victory will not stand in
doubt.”

A good starting point in knowing yourself, or rather the effectiveness of your security strategy, is to
take the quick online AVG Small Business IT Security Health Check. It’s free of charge and takes only
a few minutes to complete. I’m not recommending AVG or otherwise here, but this questionnaire is
hugely useful in provoking the kind of holistic thinking you need to truly understand the data-security
landscape of your business.
You may also like

How to write your company's it security policy it-toolkits

More Related Content

What's hot

Viewers also liked

Similar to How to write your company's it security policy it-toolkits

More from IT-Toolkits.org

Recently uploaded

How to write your company's it security policy it-toolkits