SlideShare a Scribd company logo

Information security policy how to writing

P
PasangdolmoTamang

An information security policy document is summarized as follows: 1. The document provides guidance on developing an effective information security policy, including why policies are needed, what they should contain, potential sources for policies, and how to implement them. 2. Key components of an information security policy include a clear purpose, scope, roles and responsibilities, policy statements, and procedures to ensure compliance. Policies should be based on standards like ISO 27001 and tailored to an organization's needs. 3. A phased approach to implementing policies across an organization is recommended, starting with areas like IT that provide critical services and are already well-managed. User involvement and compliance monitoring are also important for effective policy operation.

Internet
1 of 9
Download to read offline
INFORMATION SECURITY: HOW TO WRITE AN INFORMATION SECURITY POLICY Introduction Why have a policy? What is a policy? Document structure Sources of policy Authorisation, implementation and operation of policies Summary Further help and advice Introduction This section is intended to help you produce an information security policy. Some of the information contained here is of a particularly detailed and complex nature and may not, therefore, be relevant for all companies. We have, however, tried to ensure that there is advice for all organisations, irrespective of size or experience. Producing an information security policy should not be seen as a difficult task. What is important is that it should give clear policy direction and management support for the implementation and maintenance of information security. To be effective the policy should be relevant, accessible and understandable to all intended users throughout the organisation. A policy needs management commitment, supporting procedures, an appropriate technical framework within which it can be implemented, a suitable degree of authority, a means by which compliance can be checked and a legally agreed response in the event of it being violated. Sound policies are the basis for good information security. Their role is to provide focus and direction and act as the element that binds all aspects of information security management. The characteristics of any policy depend on many factors. These can be collectively described as the culture of the organisation. Some organisations have a strong ‘command and control’ culture. This can result in policies that contain strong, imperative statements (for example, ‘You will log off at the end of each working day.’). Other organisations may use subtler phrases, designed to persuade those who are subject to the policy. Whichever culture or management style your organisation adopts, the purpose of an information security policy is to help to manage risk and reduce it to an acceptable level. 1
Why have a policy? As companies grow, previous methods of communication can become less effective. For example, informal understandings and chats in the corridor can prove insufficient. Legal and regulatory pressures increase as companies expand. Providing the entire company with clear, concise, internal governance can bring real benefits in terms of efficiency as well as a means of reducing information risk. A clear information security policy can: • reduce ambiguity • provide clear management direction and commitment • establish agreed roles and responsibilities Consideration of the above points can provide a means of dealing with the inevitable difficulties that emerge when managing information. Such difficulties may include balancing the need to share information with the need to restrict its access. Policy is an expression of intent. It needs to be supported by subordinate policies and pragmatic procedures. An outline map of a full document set is shown below: What is a policy? There are many different terms in use to describe an information security policy. In the USA, for example, it is common to use the term ‘policy’ for documents that are often described in the UK as ‘standards’. This can lead to misunderstanding. The model in this document uses the following terms: • corporate information security policy • specific policies • standards • procedures 2
Corporate information security policy A corporate policy sets out an organisation’s intentions and principles regarding information security. It should be timeless in that it should alter little from year to year. Corporate policy must: • be clear and unambiguous • include statements covering: – scope – legal and regulatory obligations – roles and responsibilities – strategic approach and principles – approach to risk management - action in the event of a policy breach. The policy should be endorsed at the highest level – for example, by the MD or Chief Executive. Specific policies These change more rapidly than corporate policies. As they are more detailed they need to be reviewed more regularly. Examples of specific policies include: • information classification • access control • operations • incident management • physical security • human resources • third-party access • business continuity management Standards Security standards provide guidance towards achieving specific security policies, often related to particular technologies or products. They are used as a benchmark for audit purposes and are derived from: • industry best practice • experience • business drivers • internal testing They must be reviewed regularly to ensure that new releases and vulnerabilities are addressed. Examples of standards include: • UNIX server builds • firewall configurations • connectivity protocols Procedures Procedures should be: • clear • unambiguous • up-to-date • tested • documented 3
Examples of procedures include: • incident reporting • incident management • user ID addition/removal • server backup Document structure You may find that you need to adhere to an already established format for publishing internal policies. It is not always possible to follow the suggested headings below, but you should attempt to do so. Note that this format is suggested for specific policies rather than the corporate information security policy that has been outlined previously. Suggested headings for internal policies These are listed below and subsequently summarised in bullet points: Summary Version number and change record 1.0 Introduction 1.1 Definitions and scope 1.2 Authority (including any legal or regulatory issues) 2.0 Objectives and basic principles 3.0 Roles and responsibilities 4.0 Policy 4.1 Statement heading 1 4.2 Statement heading 2 4.3 Statement heading 3 etc. • The summary is straightforward, providing a single page (maximum) of information that allows the reader quickly to understand the purpose, authority and scope of the policy. • The version number and change record are important as they ensure that the most up-to-date policy is applied. • Definitions (especially of technical terms) are essential. There are some terms (such as ‘integrity’) that have a very specific meaning in the context of information security. All such terms should be explained in this section. It’s important to remember that you are not trying to provide a true dictionary definition; the definitions should be used in the context of the policy (make sure you use the same definitions across an entire document set). • The scope of the policy should define those people to whom the policy applies, and in what circumstances. There may, for example, be policies that apply solely to full-time employees. Others may apply specifically to senior managers while further policies may only be relevant in certain circumstances, such as night shifts or when staff are traveling abroad. 4
• Each policy should include details of whatever authority supports the policy (such as the Board, the Company MD or the Head of HR). • Each policy should have a set of objectives (if you can’t define these, you should consider your reasons for having the policy in the first place). The basic principles include statements such as ‘We will operate on a “need-to know” basis’ (or conversely, ‘on a “need-to-restrict” basis’). This enables you to establish the principles by which you wish to operate. They are related to, but independent of, actual policy statements. • Roles and responsibilities are related to the scope statement. As an example, the following roles and responsibilities can be agreed and published. The Board is ultimately responsible for ensuring that information security is properly managed. The Information Security Manager is responsible for: – the development and upkeep of this policy – ensuring this policy is supported by appropriate documentation, such as procedural instructions – ensuring that documentation is relevant and kept up-to-date – ensuring this policy and subsequent updates are communicated to relevant departments and personnel. All staff are responsible for adhering to this policy, and for reporting any security breaches or incidents to the Security Manager. • Policy statements should be unambiguous, concise and establish intent. The following statements are provided as an example of what you might expect to see in the management of highly privileged computer user accounts. Privileged accounts The setting up of privileged accounts should be kept to the minimum. Formal processes will be applied in cases where it is considered appropriate to issue special privileges to users. These processes will: – identify the privileges associated with each component of a system (e.g. the operating system, database management system or application) – identify the categories of user requiring special privileges (e.g. ‘system administrator’) – allocate privileges on a restricted basis (e.g. ‘need-to-use’ or ‘event-by- event’ basis) – maintain a record of privileges allocated – ensure that the authorisation process has been completed before privileged access is allowed. Users issued with special privileges will have different IDs for privileged and non- privileged accounts. Group user IDs should only be used in special cases. 5
Sources of policy Policies are normally based on existing, published standards, such as ISO/IEC 27001, which provides a specification for an information security management system (ISMS). At the very highest corporate level, there are risk management-related publications (such as the Cadbury and Turnbull reports – see www.ecgi.org and www.icaew.co.uk/internalcontrol ) that have had considerable impact. The sections below provide a number of potential sources of policy-related material. The ISO/IEC 27000 standards ISO/IEC 27002 is a code of practice for information security management. It is designed to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used. This code of practice started life as the UK standard BS 7799-1 in 1995 and was then released as an international standard in 2000 and revised in 2005 in line with normal ISO procedures. It was renumbered as ISO/IEC 27002 in 2007. ISO/IEC 27001 (previously BS 7799-2) provides a specification for an information security management system (ISMS). This includes a number of processes for designing, implementing, maintaining and updating an ISMS. ISO/IEC 27001 can be used for ISMS certification according to the European standard EN45012 and the accreditation guidelines standard ISO 27006 (previously EA 7/03). Further developments in information security standards are ongoing and a “family” of such standards now features in the ISO 27000 series. Further information about the 27000 standards as well as the worldwide register of organisations which have gained accredited certification to ISO 27001 can be found at: http://www.iso27001certificates.com/ The UK ISO/IEC 27001 User Group exists to promote awareness of, and share good practice in relation to, ISO/IEC 27001 and information security management systems. Membership (the Group is free to join) benefits include workshops and newsletters. The Group’s website provides further information. All these standards and guidelines can be purchased from BSI (www.bsi-global.com) or ISO (www.iso.ch) BSI IT security baselines The Bundesamt für Sicherheit in der Informationstechnik (BSI) is a German government agency tasked with producing standards for IT security for the federal government. The agency has an English version of its IT Baseline Protection Manual which is designed to: • help solve common security problems • create a baseline of security for IT systems • simplify the creation of IT security policies 6
This document provides in-depth guidance (over 1600 pages) and baseline controls. The baselines have a strong technical bias and are aimed at IT security professionals, although they do provide a good source of sound advice. The baselines are regularly updated and are available in many formats (to download, in hard copy or on CD). Most of these are free of charge, but check the web site (www.bsi.de) for further details. COBIT The Control Objectives for IT (COBIT) were designed as a control framework that combines widely accepted control objectives and a supporting toolset. COBIT has a range of products, including a management guide, control objectives and related support material. It was produced by ISACA (Information Systems Audit & Control Association – the internal audit professional representative body) and although aimed at audit professionals, it provides a robust framework for the larger organisation. There is no proposed certification process as COBIT depends on ISACA certified auditors (with the appropriate qualification) as the main controlling body. Most of the document set is freely available in English from www.isaca.org GASSP The Generally Accepted System Security Principles (GASSP) were originally developed by the Computer Security Institute in order to meet US government needs. They are based on multiple sources, including OECD guidelines and BS 7799. They are aimed at general management as well as information security specialists, and are freely available in English from: • www.gocsi.com • web.mit.edu/ist/topics/security Information Security Forum (ISF) Standard of Good Practice The Standard of Good Practice (SOGP) was designed to provide a target against which ISF members can measure their information security management performance. It consists of a series of control objectives matched to control statements, which are based on what is considered by the ISF to be ‘good practice’. The SOGP was produced as a result of findings from the ISF survey process (full details of which are only available to ISF members). The SOGP is now publicly available and is aimed at information security professionals. It is updated every two years and is available in English from the following web sites: • www.isfsecuritystandard.com • www.securityforum.org 7
Information Technology Infrastructure Library (ITIL) ITIL is a collection of best practices in IT service management, consisting of a series of books giving guidance on the provision of quality IT services. ITIL is drawn from the public and private sectors internationally, supported by a comprehensive qualification scheme and accredited training organisations. It includes descriptions of best practice in information security management as well as other related disciplines. For further details visit www.itil.co.uk Authorisation, implementation and operation of policies Authority You will need to ensure that your policy and supporting documents are appropriately authorised. In some organisations, the MD’s signature may suffice. In many other companies it is best to seek authority from a broad range of senior executives, perhaps in the following departments: • finance • operational heads • personnel/HR • legal Implementation It would be difficult to implement an entire policy document set across an organisation at any one given time. A phased approach usually works best, choosing an area with easily defined boundaries and one which supports a range of other services, e.g. the central IT function. Why the central IT function? • This is normally a critical internal service provider in which high assurance is essential. • Much security is delivered through technology. • IT provision is often already well managed. • The scope does not have to include all users. • Subsequent phases can concentrate on core business and IT end-users, as the IT function will then be compliant with policy. A second target could be the personnel or human resources function. The reasons for choosing this are broadly similar to those for initially choosing the IT function. Subsequent target areas will benefit from this work, and it will be easier to implement policies as central ‘service providers’ will be covered by the policy already. Operation As part of the broader issue of managing information security comes the need to monitor compliance with (and effectiveness of) your policies. You will find that some policy statements are not adhered to (e.g. people may share passwords). This can be because they would detract from normal work, or are perceived as being excessively costly. 8
9 In most cases the key to effective security is to set policy that can be achieved and to ensure compliance. You will also need to have suitable processes for dealing with the inevitable, but few, valid policy exceptions. However, be prepared to modify your statements based on feedback. People will comply more readily if they have been involved in policy development and feel they are stakeholders. In time, the policy set should become the benchmark for any audit processes used. Summary • Writing a policy is easy. Implementation can be more difficult. • Get ‘buy-in’ to a policy from senior management. If people are involved in the developmental stage, they are much more likely to comply with policy requirements. • Obtain the appropriate authority for a policy. Make sure it relates to your corporate culture. • Policy is only part of a broader set of control-related elements that make up information security. • Implement a policy gradually. • Don’t reinvent the wheel. Use policy templates such as the one contained in the BERR publication “Information Security: A Business Manager’s Guide”, and standards such as ISO/IEC 27001 and 27002. Please refer to the section on Legislation, Policy and Standards in our business advice pages (see below) for further information. Further help and advice General BERR Information Security Health Check Tool http://www.securityhealthcheck.berr.gov.uk/ BERR Information Security Home page www.berr.gov.uk/sectors/infosec BERR Information Security Business Advice pages http://www.berr.gov.uk/sectors/infosec/infosecadvice/page10059.html BERR Information Security Publications (available to order or download) http://www.berr.gov.uk/sectors/infosec/infosecdownloads/page9935.html Published by the Department for Business, Enterprise & Regulatory Reform www.berr.gov.uk © Crown Copyright. URN 09/643.

Recommended

Introduction to xhtml
Introduction to xhtmlIntroduction to xhtml
Introduction to xhtml
Dhairya Joshi
 
Html phrase tags
Html phrase tagsHtml phrase tags
Html phrase tags
eShikshak
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Html links
Html linksHtml links
Html links
eShikshak
 
Html forms
Html formsHtml forms
Html forms
Himanshu Pathak
 
Data structure and algorithm using java
Data structure and algorithm using javaData structure and algorithm using java
Data structure and algorithm using java
Narayan Sau
 
Arrays in Data Structure and Algorithm
Arrays in Data Structure and Algorithm Arrays in Data Structure and Algorithm
Arrays in Data Structure and Algorithm
KristinaBorooah
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 

Recommended

Introduction to xhtml
Introduction to xhtmlIntroduction to xhtml
Introduction to xhtml
Dhairya Joshi
 
Html phrase tags
Html phrase tagsHtml phrase tags
Html phrase tags
eShikshak
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Html links
Html linksHtml links
Html links
eShikshak
 
Html forms
Html formsHtml forms
Html forms
Himanshu Pathak
 
Data structure and algorithm using java
Data structure and algorithm using javaData structure and algorithm using java
Data structure and algorithm using java
Narayan Sau
 
Arrays in Data Structure and Algorithm
Arrays in Data Structure and Algorithm Arrays in Data Structure and Algorithm
Arrays in Data Structure and Algorithm
KristinaBorooah
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
WWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINEWWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINE
ruledbyrobotics2080
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
Ferdous Mahmud Shaon
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Eric Vanderburg
 
computer language - Html frames
computer language - Html framescomputer language - Html frames
computer language - Html frames
Dr. I. Uma Maheswari Maheswari
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcing
n|u - The Open Security Community
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Client side scripting using Javascript
Client side scripting using JavascriptClient side scripting using Javascript
Client side scripting using Javascript
Bansari Shah
 
Internet anonymity and privacy
Internet anonymity and privacyInternet anonymity and privacy
Internet anonymity and privacy
Dooremoore
 
White hat and black hat hackers
White hat and black hat hackersWhite hat and black hat hackers
White hat and black hat hackers
Bilal Ahmed
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
Anil Neupane
 
Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)
Timbal Mayank
 
Complete Lecture on Css presentation
Complete Lecture on Css presentation Complete Lecture on Css presentation
Complete Lecture on Css presentation
Salman Memon
 
Microsoft office introduction
Microsoft office introductionMicrosoft office introduction
Microsoft office introduction
Vishal Patyal
 
Web Design Notes
Web Design NotesWeb Design Notes
Web Design Notes
butest
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
Lisa Dowdell, MSISTM
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
shericehewat
 

More Related Content

What's hot

WWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINEWWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINE
ruledbyrobotics2080
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
Ferdous Mahmud Shaon
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Eric Vanderburg
 
computer language - Html frames
computer language - Html framescomputer language - Html frames
computer language - Html frames
Dr. I. Uma Maheswari Maheswari
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcing
n|u - The Open Security Community
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Client side scripting using Javascript
Client side scripting using JavascriptClient side scripting using Javascript
Client side scripting using Javascript
Bansari Shah
 
Internet anonymity and privacy
Internet anonymity and privacyInternet anonymity and privacy
Internet anonymity and privacy
Dooremoore
 
White hat and black hat hackers
White hat and black hat hackersWhite hat and black hat hackers
White hat and black hat hackers
Bilal Ahmed
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
Anil Neupane
 
Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)
Timbal Mayank
 
Complete Lecture on Css presentation
Complete Lecture on Css presentation Complete Lecture on Css presentation
Complete Lecture on Css presentation
Salman Memon
 
Microsoft office introduction
Microsoft office introductionMicrosoft office introduction
Microsoft office introduction
Vishal Patyal
 
Web Design Notes
Web Design NotesWeb Design Notes
Web Design Notes
butest
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
Lisa Dowdell, MSISTM
 

What's hot (20)

WWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINEWWW, WEB BROWSER AND SEARCH ENGINE
WWW, WEB BROWSER AND SEARCH ENGINE
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
 
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and ThreatsHacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
 
computer language - Html frames
computer language - Html framescomputer language - Html frames
computer language - Html frames
 
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
 
Brute Forcing
Brute ForcingBrute Forcing
Brute Forcing
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Administering security
Administering securityAdministering security
Administering security
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Client side scripting using Javascript
Client side scripting using JavascriptClient side scripting using Javascript
Client side scripting using Javascript
 
Internet anonymity and privacy
Internet anonymity and privacyInternet anonymity and privacy
Internet anonymity and privacy
 
White hat and black hat hackers
White hat and black hat hackersWhite hat and black hat hackers
White hat and black hat hackers
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
 
Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)Cascading style sheets (CSS-Web Technology)
Cascading style sheets (CSS-Web Technology)
 
Complete Lecture on Css presentation
Complete Lecture on Css presentation Complete Lecture on Css presentation
Complete Lecture on Css presentation
 
Microsoft office introduction
Microsoft office introductionMicrosoft office introduction
Microsoft office introduction
 
Web Design Notes
Web Design NotesWeb Design Notes
Web Design Notes
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 

Similar to Information security policy how to writing

CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
MaximaSheffield592
 
Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
shericehewat
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
Murray Security Services
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
Manish Chaurasia
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
durantheseldine
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
Tim Wulgaert
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Bonagiri Rajitha
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
jojo82637
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
20214Mohan
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
Karthick Panneerselvam
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
IT-Toolkits.org
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Procedures
noha1309
 

Similar to Information security policy how to writing (20)

CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
 
develop security policy
develop security policydevelop security policy
develop security policy
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Writing Effective Policies & Procedures
Writing Effective Policies & ProceduresWriting Effective Policies & Procedures
Writing Effective Policies & Procedures
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 

Recently uploaded (11)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 

Information security policy how to writing

  • 1. INFORMATION SECURITY: HOW TO WRITE AN INFORMATION SECURITY POLICY Introduction Why have a policy? What is a policy? Document structure Sources of policy Authorisation, implementation and operation of policies Summary Further help and advice Introduction This section is intended to help you produce an information security policy. Some of the information contained here is of a particularly detailed and complex nature and may not, therefore, be relevant for all companies. We have, however, tried to ensure that there is advice for all organisations, irrespective of size or experience. Producing an information security policy should not be seen as a difficult task. What is important is that it should give clear policy direction and management support for the implementation and maintenance of information security. To be effective the policy should be relevant, accessible and understandable to all intended users throughout the organisation. A policy needs management commitment, supporting procedures, an appropriate technical framework within which it can be implemented, a suitable degree of authority, a means by which compliance can be checked and a legally agreed response in the event of it being violated. Sound policies are the basis for good information security. Their role is to provide focus and direction and act as the element that binds all aspects of information security management. The characteristics of any policy depend on many factors. These can be collectively described as the culture of the organisation. Some organisations have a strong ‘command and control’ culture. This can result in policies that contain strong, imperative statements (for example, ‘You will log off at the end of each working day.’). Other organisations may use subtler phrases, designed to persuade those who are subject to the policy. Whichever culture or management style your organisation adopts, the purpose of an information security policy is to help to manage risk and reduce it to an acceptable level. 1
  • 2. Why have a policy? As companies grow, previous methods of communication can become less effective. For example, informal understandings and chats in the corridor can prove insufficient. Legal and regulatory pressures increase as companies expand. Providing the entire company with clear, concise, internal governance can bring real benefits in terms of efficiency as well as a means of reducing information risk. A clear information security policy can: • reduce ambiguity • provide clear management direction and commitment • establish agreed roles and responsibilities Consideration of the above points can provide a means of dealing with the inevitable difficulties that emerge when managing information. Such difficulties may include balancing the need to share information with the need to restrict its access. Policy is an expression of intent. It needs to be supported by subordinate policies and pragmatic procedures. An outline map of a full document set is shown below: What is a policy? There are many different terms in use to describe an information security policy. In the USA, for example, it is common to use the term ‘policy’ for documents that are often described in the UK as ‘standards’. This can lead to misunderstanding. The model in this document uses the following terms: • corporate information security policy • specific policies • standards • procedures 2
  • 3. Corporate information security policy A corporate policy sets out an organisation’s intentions and principles regarding information security. It should be timeless in that it should alter little from year to year. Corporate policy must: • be clear and unambiguous • include statements covering: – scope – legal and regulatory obligations – roles and responsibilities – strategic approach and principles – approach to risk management - action in the event of a policy breach. The policy should be endorsed at the highest level – for example, by the MD or Chief Executive. Specific policies These change more rapidly than corporate policies. As they are more detailed they need to be reviewed more regularly. Examples of specific policies include: • information classification • access control • operations • incident management • physical security • human resources • third-party access • business continuity management Standards Security standards provide guidance towards achieving specific security policies, often related to particular technologies or products. They are used as a benchmark for audit purposes and are derived from: • industry best practice • experience • business drivers • internal testing They must be reviewed regularly to ensure that new releases and vulnerabilities are addressed. Examples of standards include: • UNIX server builds • firewall configurations • connectivity protocols Procedures Procedures should be: • clear • unambiguous • up-to-date • tested • documented 3
  • 4. Examples of procedures include: • incident reporting • incident management • user ID addition/removal • server backup Document structure You may find that you need to adhere to an already established format for publishing internal policies. It is not always possible to follow the suggested headings below, but you should attempt to do so. Note that this format is suggested for specific policies rather than the corporate information security policy that has been outlined previously. Suggested headings for internal policies These are listed below and subsequently summarised in bullet points: Summary Version number and change record 1.0 Introduction 1.1 Definitions and scope 1.2 Authority (including any legal or regulatory issues) 2.0 Objectives and basic principles 3.0 Roles and responsibilities 4.0 Policy 4.1 Statement heading 1 4.2 Statement heading 2 4.3 Statement heading 3 etc. • The summary is straightforward, providing a single page (maximum) of information that allows the reader quickly to understand the purpose, authority and scope of the policy. • The version number and change record are important as they ensure that the most up-to-date policy is applied. • Definitions (especially of technical terms) are essential. There are some terms (such as ‘integrity’) that have a very specific meaning in the context of information security. All such terms should be explained in this section. It’s important to remember that you are not trying to provide a true dictionary definition; the definitions should be used in the context of the policy (make sure you use the same definitions across an entire document set). • The scope of the policy should define those people to whom the policy applies, and in what circumstances. There may, for example, be policies that apply solely to full-time employees. Others may apply specifically to senior managers while further policies may only be relevant in certain circumstances, such as night shifts or when staff are traveling abroad. 4
  • 5. • Each policy should include details of whatever authority supports the policy (such as the Board, the Company MD or the Head of HR). • Each policy should have a set of objectives (if you can’t define these, you should consider your reasons for having the policy in the first place). The basic principles include statements such as ‘We will operate on a “need-to know” basis’ (or conversely, ‘on a “need-to-restrict” basis’). This enables you to establish the principles by which you wish to operate. They are related to, but independent of, actual policy statements. • Roles and responsibilities are related to the scope statement. As an example, the following roles and responsibilities can be agreed and published. The Board is ultimately responsible for ensuring that information security is properly managed. The Information Security Manager is responsible for: – the development and upkeep of this policy – ensuring this policy is supported by appropriate documentation, such as procedural instructions – ensuring that documentation is relevant and kept up-to-date – ensuring this policy and subsequent updates are communicated to relevant departments and personnel. All staff are responsible for adhering to this policy, and for reporting any security breaches or incidents to the Security Manager. • Policy statements should be unambiguous, concise and establish intent. The following statements are provided as an example of what you might expect to see in the management of highly privileged computer user accounts. Privileged accounts The setting up of privileged accounts should be kept to the minimum. Formal processes will be applied in cases where it is considered appropriate to issue special privileges to users. These processes will: – identify the privileges associated with each component of a system (e.g. the operating system, database management system or application) – identify the categories of user requiring special privileges (e.g. ‘system administrator’) – allocate privileges on a restricted basis (e.g. ‘need-to-use’ or ‘event-by- event’ basis) – maintain a record of privileges allocated – ensure that the authorisation process has been completed before privileged access is allowed. Users issued with special privileges will have different IDs for privileged and non- privileged accounts. Group user IDs should only be used in special cases. 5
  • 6. Sources of policy Policies are normally based on existing, published standards, such as ISO/IEC 27001, which provides a specification for an information security management system (ISMS). At the very highest corporate level, there are risk management-related publications (such as the Cadbury and Turnbull reports – see www.ecgi.org and www.icaew.co.uk/internalcontrol ) that have had considerable impact. The sections below provide a number of potential sources of policy-related material. The ISO/IEC 27000 standards ISO/IEC 27002 is a code of practice for information security management. It is designed to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used. This code of practice started life as the UK standard BS 7799-1 in 1995 and was then released as an international standard in 2000 and revised in 2005 in line with normal ISO procedures. It was renumbered as ISO/IEC 27002 in 2007. ISO/IEC 27001 (previously BS 7799-2) provides a specification for an information security management system (ISMS). This includes a number of processes for designing, implementing, maintaining and updating an ISMS. ISO/IEC 27001 can be used for ISMS certification according to the European standard EN45012 and the accreditation guidelines standard ISO 27006 (previously EA 7/03). Further developments in information security standards are ongoing and a “family” of such standards now features in the ISO 27000 series. Further information about the 27000 standards as well as the worldwide register of organisations which have gained accredited certification to ISO 27001 can be found at: http://www.iso27001certificates.com/ The UK ISO/IEC 27001 User Group exists to promote awareness of, and share good practice in relation to, ISO/IEC 27001 and information security management systems. Membership (the Group is free to join) benefits include workshops and newsletters. The Group’s website provides further information. All these standards and guidelines can be purchased from BSI (www.bsi-global.com) or ISO (www.iso.ch) BSI IT security baselines The Bundesamt für Sicherheit in der Informationstechnik (BSI) is a German government agency tasked with producing standards for IT security for the federal government. The agency has an English version of its IT Baseline Protection Manual which is designed to: • help solve common security problems • create a baseline of security for IT systems • simplify the creation of IT security policies 6
  • 7. This document provides in-depth guidance (over 1600 pages) and baseline controls. The baselines have a strong technical bias and are aimed at IT security professionals, although they do provide a good source of sound advice. The baselines are regularly updated and are available in many formats (to download, in hard copy or on CD). Most of these are free of charge, but check the web site (www.bsi.de) for further details. COBIT The Control Objectives for IT (COBIT) were designed as a control framework that combines widely accepted control objectives and a supporting toolset. COBIT has a range of products, including a management guide, control objectives and related support material. It was produced by ISACA (Information Systems Audit & Control Association – the internal audit professional representative body) and although aimed at audit professionals, it provides a robust framework for the larger organisation. There is no proposed certification process as COBIT depends on ISACA certified auditors (with the appropriate qualification) as the main controlling body. Most of the document set is freely available in English from www.isaca.org GASSP The Generally Accepted System Security Principles (GASSP) were originally developed by the Computer Security Institute in order to meet US government needs. They are based on multiple sources, including OECD guidelines and BS 7799. They are aimed at general management as well as information security specialists, and are freely available in English from: • www.gocsi.com • web.mit.edu/ist/topics/security Information Security Forum (ISF) Standard of Good Practice The Standard of Good Practice (SOGP) was designed to provide a target against which ISF members can measure their information security management performance. It consists of a series of control objectives matched to control statements, which are based on what is considered by the ISF to be ‘good practice’. The SOGP was produced as a result of findings from the ISF survey process (full details of which are only available to ISF members). The SOGP is now publicly available and is aimed at information security professionals. It is updated every two years and is available in English from the following web sites: • www.isfsecuritystandard.com • www.securityforum.org 7
  • 8. Information Technology Infrastructure Library (ITIL) ITIL is a collection of best practices in IT service management, consisting of a series of books giving guidance on the provision of quality IT services. ITIL is drawn from the public and private sectors internationally, supported by a comprehensive qualification scheme and accredited training organisations. It includes descriptions of best practice in information security management as well as other related disciplines. For further details visit www.itil.co.uk Authorisation, implementation and operation of policies Authority You will need to ensure that your policy and supporting documents are appropriately authorised. In some organisations, the MD’s signature may suffice. In many other companies it is best to seek authority from a broad range of senior executives, perhaps in the following departments: • finance • operational heads • personnel/HR • legal Implementation It would be difficult to implement an entire policy document set across an organisation at any one given time. A phased approach usually works best, choosing an area with easily defined boundaries and one which supports a range of other services, e.g. the central IT function. Why the central IT function? • This is normally a critical internal service provider in which high assurance is essential. • Much security is delivered through technology. • IT provision is often already well managed. • The scope does not have to include all users. • Subsequent phases can concentrate on core business and IT end-users, as the IT function will then be compliant with policy. A second target could be the personnel or human resources function. The reasons for choosing this are broadly similar to those for initially choosing the IT function. Subsequent target areas will benefit from this work, and it will be easier to implement policies as central ‘service providers’ will be covered by the policy already. Operation As part of the broader issue of managing information security comes the need to monitor compliance with (and effectiveness of) your policies. You will find that some policy statements are not adhered to (e.g. people may share passwords). This can be because they would detract from normal work, or are perceived as being excessively costly. 8
  • 9. 9 In most cases the key to effective security is to set policy that can be achieved and to ensure compliance. You will also need to have suitable processes for dealing with the inevitable, but few, valid policy exceptions. However, be prepared to modify your statements based on feedback. People will comply more readily if they have been involved in policy development and feel they are stakeholders. In time, the policy set should become the benchmark for any audit processes used. Summary • Writing a policy is easy. Implementation can be more difficult. • Get ‘buy-in’ to a policy from senior management. If people are involved in the developmental stage, they are much more likely to comply with policy requirements. • Obtain the appropriate authority for a policy. Make sure it relates to your corporate culture. • Policy is only part of a broader set of control-related elements that make up information security. • Implement a policy gradually. • Don’t reinvent the wheel. Use policy templates such as the one contained in the BERR publication “Information Security: A Business Manager’s Guide”, and standards such as ISO/IEC 27001 and 27002. Please refer to the section on Legislation, Policy and Standards in our business advice pages (see below) for further information. Further help and advice General BERR Information Security Health Check Tool http://www.securityhealthcheck.berr.gov.uk/ BERR Information Security Home page www.berr.gov.uk/sectors/infosec BERR Information Security Business Advice pages http://www.berr.gov.uk/sectors/infosec/infosecadvice/page10059.html BERR Information Security Publications (available to order or download) http://www.berr.gov.uk/sectors/infosec/infosecdownloads/page9935.html Published by the Department for Business, Enterprise & Regulatory Reform www.berr.gov.uk © Crown Copyright. URN 09/643.