Ok, I admit it, I didn’t choose the most intriguing or engaging of topics in the security world for my first blog post with Linford & Company. Hacking techniques (e.g. XSS or CSRF) or commentary on the latest breach would be much more engaging for the both of us, but security policies do play an important role in your organization’s overall security posture as they serve to establish a security mindset for your organization.
Writing a good security policy that is relevant and provides value for your organization is the ultimate goal. While entire books have been written regarding writing effective security policies, below are a few principles to keep in mind when you’re ready to start tapping out (or reviewing existing) security policies for your organization.
- Understand the role of security policies in your organization. One of the primary purposes of a security policy is to provide protection – protection for your organization and for its employees. Security policies protect your organization’s critical information/intellectual property by clearly outlining employee responsibilities with regard to what information needs to be safeguarded and why. When the what and why is clearly communicated to the who (employees) then people can act accordingly as well as be held accountable for their actions. Employees are protected and should not fear reprisal as long as they are acting in accordance with defined security policies.
- Another critical role of security policies is to support the mission of the organization. Security professionals need to be sensitive to the needs of the business, so when writing security policies, the mission of the organization should be in the forefront of your thoughts. Ask yourself, how does this policy support the mission of my organization? Is it addressing the concerns of the senior leadership? Of course, in order to answer these questions, you have to engage the senior leadership of your organization. What is their sensitivity toward security? If they are more sensitive in their approach to security, then the policies likely will reflect a more detailed definition of employee expectations. This approach will likely also require more resources to maintain and monitor the enforcement of the policies. A less sensitive approach to security will have less definition of employee expectations, require less resources to maintain and monitor policy enforcement, but will result in a greater risk to your organization’s intellectual assets/critical data. Either way, do not write security policies in a vacuum. If you do, it will likely not align with the needs of your organization.
- Security policies need to be enforceable. If the policy is not going to be enforced, then why waste the time and resources writing it? It is important that everyone from the CEO down to the newest of employees comply with the policies. If upper management doesn’t comply with the security policies and the consequences of non-compliance with the policy is not enforced, then mistrust and apathy toward compliance with the policy can plague your organization. Look across your organization. Can the policy be applied fairly to everyone? If not, rethink your policy. Security policies are supposed to be directive in nature and are intended to guide and govern employee behavior. If the policy is not enforced, then employee behavior is not directed into productive and secure computing practices which results in greater risk to your organization. Users need to be exposed to security policies several times before the message sinks in and they understand the “why” of the policy, so think about graduating the consequences of policy violation where appropriate.
- Security policies need to be maintained. The purpose of security policies is not to adorn the empty spaces of your bookshelf. Just like bread left out on the counter goes stale after a period of time (those with kids know what I’m talking about), security policies can stale over time if they are not actively maintained. At a minimum, security policies should be reviewed yearly. It is good practice to have employees acknowledge receipt of and agree to abide by them on a yearly basis as well. In preparation for this event, review the policies through the lens of changes your organization has undergone over the past year. What new threat vectors have come into the picture over the past year? What have you learned from the security incidents you experienced over the past year? Take these lessons learned and incorporate them into your policy. Security policies are living documents and need to be relevant to your organization at all times.
- Security policies should be brief. Security policies should not include everything but the kitchen sink. Supporting procedures, baselines and guidelines can fill in the “how” and “when” of your policies. Each policy should address a specific topic (e.g. acceptable use, password complexity, etc.); it will make things easier to manage and maintain. Keep it simple – don’t overburden your policies with technical jargon or legal terms. You’ve heard of the “KISS” principle; it applies to security policies as well. Use simple language; after all you want your employees to understand the policy. When they understand the policy, it will be easier for them to comply. When writing security policies, keep in mind that “complexity is the worst enemy of security” (Bruce Schneier), so keep it brief, clear, and to the point.
A great security program is build upon the foundation of solid security policies. Take care and happy policy writing.