Security policies are the foundation of the security infrastructure. Sometimes, in some environments people do not consider they as important, but this is a completely wrong idea. Information security policies define the basic security requirements and rules to be implemented in order to protect and secure organizations’ information systems.
Some of the goals of the security policies are:
- Maintain an outline for the management and administration of network security.
- Prevent unauthorized modifications of data.
- Protect an organizations’ computing resources.
- Reduce risks caused by ilegal use of the system resources.
- Eliminate legal liabilities arising from employees or third parties.
- Differentiate the users’ access rights.
- Prevent waste of companies’ computing resources.
- Protect confidential, proprietary information from theft, misuse and unauthorized disclosure.
There are some different types of security policies. We can find a four types classification:
- Promiscuos policy: No restrictions on usage of system resources.
- Permissive policy: Policy begins wide open and only known dangerous services/attacks behaviors are blocked. This policy should be updated constantly to be effective.
- Prudent policy: It provides maximum security while allowing known but necessary dangers. It blocks all services and only safe/necessary services are enabled individually. In addition, everything should be logged.
- Paranoid policy: It forbids everything, not Internet connection, or severely limited Internet usage.
There are multiple examples of definition of security policies. We can list a few examples but, security policies should cover all the different areas around the utilization of information systems in our organizations:
- Access control policy: It defines the resources being protected and the rules that control access to them.
- Remote access policy: It defines who can have remote access, and defines access medium and remote access security controls.
- Firewall management policy: It defines access, management and monitoring of firewalls in the organization.
- Network connection policy: It defines who can install new resources on a network, approve the installation of new devices, document network changes, etc.
- Passwords policy: It provides guidelines for using strong passwords protection on organizations’ resources.
- User account policy: It defines the account creation process and authority, right and responsibilities of user accounts.
- Information protection policy: It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media.
- Special access policy: This policy defines the terms and conditions of granting special access to system resources.
- Email security policy: It is created to govern the proper usage of corporate email.
- Acceptable use policy: It defines the acceptable use of system resources.
- Privacy policies at workplace: It defines the access to employees’ private information by other employees.
As you can see, a lot of things are involved and needs to be defined as policies. Theses are just a few examples but, policies, as I have said, should cover everything related with our information systems.
Let’s expand a bit more the “Privacy policies at workplace”. Again, just an example. Specially in this field, part of the definition of this policy, for example, it is affected for the country legislation. This can contain things like:
- Intimate employees about what information you collect, why and what you will do with it.
- Limit the collection of information and collect it by fair and lawful means.
- Inform employees about the potential collection, use and disclosure of personal information.
- Keep employees’ personal information accurate, compete and up-to-date.
- Provide employees access to their personal information.
- Keep employees’ personal information secure.
There are a few steps that can/should be followed to implement this policies. Usually the security policy development team in an organization generally consist of information security team (IST), technical writer(s), technical personnel, legal counsel, human resources, audit and compliance team, and users group. The steps can be followed are:
- Perform a risk assessment to identify risks to the organization’s assets.
- Learn from standard guidelines and other organizations.
- Include senior management and all other staff in policy development
- Set clear penalties and enforce them.
- Make a final version available to all of the staff in the organization.
- Ensure every member of your staff read, sign and understand the policy.
- Deploy tools to enforce the policies.
- Train your employees and educate them about the policy.
- Regularly review and update the policies.
I am sure that most people probably are in shock after read that we need to include in this policy definition the teams of human resources and legal counsel. But the thing is, despite they do not know the technical parts of the systems or even the systems, they are supposed to be experts in their areas and we are going to need them.
The human resources department is responsable to make employees aware of security policies and train them in best practices defined in the policies. They are going to work closely with management to monitor policy implementation and address any policy violation issue.
The legal team is going to help us to develop the policies. These policies should be developed in consultation with legal experts and must comply to relevant local laws. The help of this team is going to prevent the enforcement of a policy violating users rights in contravention to local laws that can result in law suits against the organization.
This is just a little introduction to policies and a few example of policies that need to be set in place. As I have said before they should cover everything around our information systems and processes in our company.