In a previous blog post, I outlined how security procedures fit in your overall information security documentation library and how they provide the “how” when it comes to the consistent implementation of security controls in an organization. This blog post takes you back to the foundation of an organization’s security program – information security policies and why they are important to an organization’s security program. Below are a few principles to keep in mind when writing your business’ information security policies.
What is an Information Security Policy?
Put simply, an information security policy is a statement, or a collection of statements, designed to guide employees’ behavior with regard to the security of company data, assets, IT systems, etc. These security policies define the who, what, and why regarding the desired behavior, and they play an important role in an organization’s overall security posture. Information security policies should reflect the risk appetite of executive management and therefore serve to establish an associated security mindset within an organization.
The goal when writing an information security policy is to provide relevant direction and value to the individuals within an organization. While entire books have been published regarding how to write effective security policies, below are a few principles to keep in mind when you’re ready to start tapping out (or reviewing existing) security policies.
What Should Information Security Policies Cover?
Since security policies should reflect the risk appetite of executive management in an organization, start with the defined risks in the organization. Write a policy that appropriately guides behavior to reduce the risk. If an organization has a risk regarding social engineering, then there should be a policy reflecting the behavior desired to reduce the risk of employees being socially engineered. One such policy would be that every employee must take yearly security awareness training (which includes social engineering tactics).
Security policies are commonly written for topics such as acceptable use of company assets, personnel security, passwords, change management, access control, physical access, etc. Compliance requirements also drive the need to develop security policies, but don’t write a policy just for the sake of having a policy.
What Should You Keep in Mind When Writing an Information Security Policy?
1. Understand the role of security policies in your organization
One of the primary purposes of a security policy is to provide protection – protection for your organization and for its employees. Security policies protect your organization’s critical information/intellectual property by clearly outlining employee responsibilities with regard to what information needs to be safeguarded and why. When the what and why is clearly communicated to the who (employees) then people can act accordingly as well as be held accountable for their actions. Employees are protected and should not fear reprisal as long as they are acting in accordance with defined security policies.
Another critical role of security policies is to support the mission of the organization. Security professionals need to be sensitive to the needs of the business, so when writing security policies, the mission of the organization should be in the forefront of your thoughts. Ask yourself, how does this policy support the mission of my organization? Is it addressing the concerns of the senior leadership?
Of course, in order to answer these questions, you have to engage the senior leadership of your organization. What is their sensitivity toward security? If they are more sensitive in their approach to security, then the policies likely will reflect a more detailed definition of employee expectations. This approach will likely also require more resources to maintain and monitor the enforcement of the policies. A less sensitive approach to security will have less definition of employee expectations, require less resources to maintain and monitor policy enforcement, but will result in a greater risk to your organization’s intellectual assets/critical data.
Either way, do not write security policies in a vacuum. If you do, it will likely not align with the needs of your organization. Writing security policies is an iterative process and will require buy in from executive management before it can be published.
2. Ensure your security policies are enforceable
If the policy is not going to be enforced, then why waste the time and resources writing it? It is important that everyone from the CEO down to the newest of employees comply with the policies. If upper management doesn’t comply with the security policies and the consequences of non-compliance with the policy is not enforced, then mistrust and apathy toward compliance with the policy can plague your organization.
Look across your organization. Can the policy be applied fairly to everyone? If not, rethink your policy. Security policies are supposed to be directive in nature and are intended to guide and govern employee behavior. If the policy is not enforced, then employee behavior is not directed into productive and secure computing practices which results in greater risk to your organization. Users need to be exposed to security policies several times before the message sinks in and they understand the “why” of the policy, so think about graduating the consequences of policy violation where appropriate.
Another important element of making security policies enforceable is to ensure that everyone reads and acknowledges the security policies (often via signing a statement thereto). Many security policies state that non-compliance with the policy can lead to administrative actions up to and including termination of employment, but if the employee does not acknowledge this statement, then the enforceability of the policy is weakened.
3. Explain how policy exceptions are handled
You’ve heard the expression, “there is an exception to every rule.” Well, the same perspective often goes for security policies. There are often legitimate reasons why an exception to a policy is needed. In cases where an exception to a policy is needed, the policy should define how approval for the exception to the policy is obtained. Management should be aware of exceptions to security policies as the exception to the policy could introduce risk that needs to be mitigated in another way.
4. Make your security policies brief and succinct
Security policies should not include everything but the kitchen sink. Supporting procedures, baselines, and guidelines can fill in the “how” and “when” of your policies. Each policy should address a specific topic (e.g. acceptable use, access control, etc.); it will make things easier to manage and maintain. Keep it simple – don’t overburden your policies with technical jargon or legal terms. Use simple language; after all, you want your employees to understand the policy. When employees understand security policies, it will be easier for them to comply. When writing security policies, keep in mind that “complexity is the worst enemy of security” (Bruce Schneier), so keep it brief, clear, and to the point.
Why is it Important To Keep Security Policies Current?
The purpose of security policies is not to adorn the empty spaces of your bookshelf. Just like bread left out on the counter goes stale after a period of time (those with kids know what I’m talking about), security policies can stale over time if they are not actively maintained. At a minimum, security policies should be reviewed yearly and updated as needed. It is good practice to have employees acknowledge receipt of and agree to abide by them on a yearly basis as well. In preparation for this event, review the policies through the lens of changes your organization has undergone over the past year. What new threat vectors have come into the picture over the past year? What have you learned from the security incidents you experienced over the past year? Take these lessons learned and incorporate them into your policy. Security policies are living documents and need to be relevant to your organization at all times.
Information security policies are the foundation of a good a security program. With defined security policies, individuals will understand the who, what, and why regarding their organization’s security program, and organizational risk can be mitigated. Linford and Company has extensive experience writing and providing guidance on security policies. If you would like to learn more about how Linford and Company can assist your organization in defining security policies or other services such as FedRAMP, HITRUST, SOC 1 or SOC 2 audits, please contact us.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.