Security Policies - Manage your Risks

Security policies are documents developed and implemented by an organization to manage security related risks, meet business requirements, and comply with regulations.  Security policies specify the controls and actions to be performed (what needs to be done) and are approved by senior management to ensure the policies are in line with the organization's overall level of risk tolerance. 

Purpose

The main goal of security policies is to protect data by identifying procedures, guidelines and safeguards for configuring and managing security in the organization's environment. Security policies define the organization’s philosophy and requirements for securing information systems and related assets. They also outline how controls apply to staff, processes, and environments. Consequences for failed compliance with the policies are also addressed.

Security policies provide many benefits to organizations:

• Security vulnerabilities are identified and properly treated.  This ensures security related risks are aligned with the organization's level of risk tolerance.
• A consistent approach to security reduces the likelihood and impact of a security breach.
• Efficiencies are achieved when information is safely shared within the organization, as well as with customers, partners, and vendors.
• Heightened security awareness increases the likelihood of compliance with the security policies.

Risk Assessment

The first step when preparing security policies is to full identify assets and threats to the assets. 

Important IT assets can include network infrastructure components (firewalls, servers, data, storage, applications, important peripherals, etc.), staff (employees, consultants, temporary help, etc.), facilities (buildings, data centers), and security protection mechanisms (access control systems, locking cages, etc.).  Other important assets that should be identified include intellectual property and customer goodwill.

When assessing risks, consider both external and internal threats. External threats can include hackers, viruses, Denial of Service (DoS) attacks, collateral damage from terrorists, fires, and related risks. Internal threats include unauthorized use of systems, untrained staff, failure to follow procedures, lack of or insufficient security controls, etc.

Following the identification of assets and threats, the organization should perform a risk analysis that identifies the likelihood and impact of an event on the organization.  Consider the impact if the asset’s data, networks or systems are compromised. Also consider a security incident’s impact on the organization's credibility, reputation and relationships with stakeholders, customers, and business associates.

The risk assessment and risk analysis helps:

• Ensure important assets are identified
• Allocate security expenditures to the most important assets
• Minimize expenses without exposing the organization to unnecessary risk
• Ensure resources are properly allocated to the most important assets
• Provide direction and guidance when developing security policies

Effective Security Policies

Once the assets, threats, and impact on the organization have been identified, security policies are used to treat the risks.  Security policies are used to:

• Eliminate risks
• Transfer risk to an outside entity
• Reduce risks to acceptable levels
• Identify monitoring controls needed to ensure the risks remain within acceptable levels
• Avoid risks

Seven key elements that should be included within each security policy include:

• Overview - introduction and high level summary
• Purpose - why this policy is needed
• Scope - departments/staff required to follow this policy
• Policy - specific policy text with assigned responsibilities and actions to be performed
• Enforcement - disciplinary actions to be taken if policy is not followed
• Distribution - distribution list for this policy
• Revision History - dates and summaries of changes made

Recommended Security Policies

Security policies address access controls, patch management, monitoring systems, business continuity, compliance, and many other areas. The following is a minimum list of recommended security policies for small organizations.  Medium and large organizations face greater risks and need more extensive policies and controls.

Security protection policies

• Anti-Malware Policy
• Backup Policy
• Encryption Policy
• Personnel Security Policy
• Securing Information Systems Policy

Risk management policies

• Business Impact Analysis
• Data Classification Policy
• Data Retention Policy
• Risk Assessment Policy

Network security policies

• Change Management Policy
• Disposal Policy
• Firewall Policy
• Password Policy
• Physical Access Policy
• Remote Access Policy
• Server Hardening Policy
• Workstation Security Policy

A security policy collection includes templates that provide an organization a quick, cost effective, and easy way to manage security related risks, meet business requirements, and comply with regulations.