Most organizations have some type of information security policy, and whether written or unwritten, it must relate to specific business needs. One of the most significant issues companies face today is the need to comply with industry standards and government regulations for secure business.
Industry guides such as the International Standards Organization (ISO) 17799 and government regulations like the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act help provide a framework for improved corporate governance and controls. Accurately written and enforced, information security policies enable organizations to demonstrate their adherence with critical regulations and standards as well as articulate their own requirements for mitigating risk.
Security policy task force
As a corporate infosec policy applies throughout the organization, it must be created not by a single individual or business group, but by a representative team. A typical security policy creation task force for a large enterprise might include a senior manager, IT directors, an information security expert, auditors, a human resources representative, legal counsel, and a public relations manager. The importance of establishing a proper team cannot be understated – without input from key personnel, the information security policy is likely to be weak and unlikely to be taken seriously.
Each member of the task force provides a unique contribution. For example, the involvement of a senior manager or executive indicates the important role of the policy to the company, while the inclusion of network administrators or information systems directors ensures that technical implications are being closely considered.
Garnering the support of a security professional helps ensure that the policy reflects relevant threats and recommended steps to mitigate risk. Auditors help pinpoint the current type of computer-related activities within the company, and human resources personnel can provide direction pertaining to implementation, training, and enforcement.
Involvement of legal counsel is key in ensuring that the information security policy protects company assets, does not violate employees' rights, and addresses applicable laws and regulations. The public relations manager, in turn, can help set up a communications plan for dealing with the media and for keeping stakeholders informed as the company responds to security incidents.
Once it is written, the security policy should be endorsed at the highest corporate level possible to demonstrate the corporation's commitment to information security.
Anatomy of a policy
The term "information security policy" actually refers to a hierarchical set of documents. At the top is a brief document (typically two pages) which describes the organization's philosophy and expectations regarding information security. This document is the actual information security policy. It is written in broad and generic terms and, as a result, remains relatively unchanged for three to five years. Although it is vague and generalized, it will play a crucial role in an organization's overall strategy, because it provides the foundation for all daily operations and activities.
Down one level from the actual security policy document is a set of standards documents. Where the policy is strategic in nature, the standards document set is tactical. These standards cover the physical, administrative, and technical controls designed to protect corporate information assets – without inhibiting the productivity of end users. Creating a standards document set is both a business and a technical task – the result must meet the needs of the business and be accepted by employees as a normal part of business operations.
Below the standards document set is an operational guide that details exactly how security controls should be implemented and managed. Often referred to as the information security procedures document set, these instructions are used by all employees to achieve compliance with the company's information security policy and standards.
Consequently, when creating a procedures document set, more employee involvement is typically better than less. Personnel who feel ownership for the procedures related to their work area are more likely to comply with the established processes.
The typical procedures document set will be frequently altered to reflect business changes, and it will be lengthy – especially since compliance with any one standard usually requires the completion of several procedures or tasks.
Because the procedures document set is widely used and frequently referred to by end-users, its format is very important. All procedures should share a common format and layout, making it easier for users to understand and follow. Procedures should be written in basic language that is as free of jargon and acronyms as possible. Where the use of jargon and acronyms cannot be avoided, a glossary should be included.
Procedures documents should be available in electronic and printed form, and access should be closely controlled to ensure that corporate-sensitive information is not put in jeopardy.
A durable infosec policy is the foundation for effective information security in any corporate computing environment. Tasked with delivering the integrity, availability and confidentiality of information, a security policy will help protect corporate assets and can help ensure uptime and business continuity – but only if it is enforced.
Few organizations have the resources or expertise to continually analyze and measure compliance with their information security policy, standards, and procedures. For these businesses, tools are available that automate the planning, management, and control of security policies. These tools perform thousands of security checks on a variety of platforms and automatically collect and correlate the security assessment data into a single, enterprise-wide series of reports. Assessments are based on the organization's security standards as well as those best practices established in line with government regulations.
Once the software checks all systems for deviations from policies – whether unauthorized privileges, improper system configuration, inappropriate file access, or other disparities – it reports these issues to administrators at a centralized console. Emerging tools provide the additional benefit of streamlining security event and incident data, so it is easier for administrators to address problems in a prioritized way.
These policy compliance tools also allow corporate information security policies and checks to be exported to branch offices to ensure consistency and protection throughout the enterprise.
Protection and uptime
Creating an information security policy that accurately reflects an organization's security philosophy, the standards and regulations to which the corporation must comply, and the step-by-step details of the procedures and processes for addressing its security needs is an effort that requires a dedicated team of the organization's key personnel. While the effort to create the policy, standards, and procedures documents is substantial, the rewards can also be significant.
Enforcing and measuring compliance with an information security policy has become a serious consideration for a growing number of companies as government legislation continues to call for increased security checks and balances across the corporate environment.
To make it easier for organizations to meet their compliance goals, automation tools are available that discover and report on vulnerabilities, then deliver concise, prioritized information. With these, corporations can resolve security issues, protect critical assets, and ensure business continuity.