StudyDaddy Computer Science [5:02 PM, 1/18/2018] +1 (510) 945-8001: Forum: Creating an IT or Cyber Security Policy Organize Forum Threads on this page and apply settings to several or all threads. Threads are listed in a tabular

[5:02 PM, 1/18/2018] +1 (510) 945-8001: Forum: Creating an IT or Cyber Security Policy Organize Forum Threads on this page and apply settings to several or all threads. Threads are listed in a tabular

© InstantSecurityPolicy.com Page 1 The IT Security Policy Guide Why you need one, what it should cover, and how to implement it By: InstantSecurityPolicy.com © InstantSecurityPolicy.com Page 2 Table of Contents 1. Introduction 3 2. What is a Security Policy? 3 3. Why is a Security Policy Necessary? 4 4. The Security Policy Problem 5 5. What a Policy Should Cover 5 6. Types of Policies 6 7. Policy Content 7 8. Policy Implementation 8 9. Policy Review 9 10. Summary 10 © InstantSecurityPolicy.com Page 3 1. Introduction Note: This document is organized into sections, whi ch may or may not be applicable depending on where you are in your secur ity policy development process. Feel free to skip ahead to the section that applies best to you.

There is no right or wrong way to begin the process of developing a security policy. No single policy or security strategy will work for every organization. Contrary to what is advertised on the Internet, there is no gen eric template that will meet every need. A fantastic policy for Company A might be us eless to Company B. A security policy must be a living, custom document that refle cts your company’s environment and culture, and meets its specific security needs. In fact, a useless security policy is worse than no policy. Companies that boast of security policies thicker than a ream of paper are often the ones that have no idea what those policies say. The false sense of securi ty provided by an ineffective policy is dangerous. The point of a Security policy is no t to create “shelfware” that will look good in a binder, but rather to create an actionabl e and realistic policy that your company can use to manage its security practices an d reduce its risk of a security incident.

2. What is a Security Policy? A security policy is a strategy for how your compan y will implement Information Security principles and technologies. It is essent ially a business plan that applies only to the Information Security aspects of a business. A security policy is different from security proces ses and procedures, in that a policy will provide both high level and specific guideline s on how your company is to protect its data, but will not specify exactly how that is to be accomplished. This provides leeway to choose which security devices an d methods are best for your company and budget. A security policy is technolog y and vendor independent – its intent is to set policy only, which you can then im plement in any manner that accomplishes the specified goals.

A security policy should cover all your company’s e lectronic systems and data. As a general rule, a security policy would not cover har d copies of company data but some overlap is inevitable, since hard copies invariably were soft copies at some point.

Where the security policy applies to hard copies of information, this must be specifically stated in the applicable policy.

A security policy must specifically accomplish thre e objectives:

1) It must allow for the confidentiality and privacy o f your company’s information. © InstantSecurityPolicy.com Page 4 2) It must provide protection for the integrity of you r company’s information.

3) It must provide for the availability of your compan y’s information.

This is commonly referred to as the “CIA Triad” of Confidentiality, Integrity, and Availability, an approach which is shared by all ma jor security regulations and standards. Additionally, this approach is consiste nt with generally-accepted industry best practices for security management.

3. Why is a Security Policy Necessary? It is generally impossible to accomplish a complex task without a detailed plan for doing so. A security policy is that plan, and prov ides for the consistent application of security principles throughout your company. After implementation, it becomes a reference guide when matters of security arise. A security policy indicates senior management’s com mitment to maintaining a secure network, which allows the IT Staff to do a more eff ective job of securing the company’s information assets. Ultimately, a securi ty policy will reduce your risk of a damaging security incident. And in the event of a security incident, certain policies, such as an Incident Response Policy, may limit your company’s exposure and reduce the scope of the incident.

A security policy can provide legal protection to y our company. By specifying to your users exactly how they can and cannot use the network, how they should treat confidential information, and the proper use of enc ryption, you are reducing your liability and exposure in the event of an incident. Further, a security policy provides a written record of your company’s policies if ther e is ever a question about what is and is not an approved act.

Security policies are often required by third parti es that do business with your company as part of their due diligence process. Som e examples of these might be auditors, customers, partners, and investors. Comp anies that do business with your company, particularly those that will be sharing co nfidential data or connectivity to electronic systems, will be concerned about your se curity policy. Lastly, one of the most common reasons why companie s create security policies today is to fulfill regulations and meet standards that relate to security of digital information. A few of the more commonly encountere d are:

· The PCI Data Security Standard (DSS) · The Health Insurance Portability and Accountability Act (HIPAA) · The HITECH Act © InstantSecurityPolicy.com Page 5 · The Sarbanes-Oxley Act (SOX) · Massachusetts 201 CMR 17.00 · The ISO family of security standards · The Graham-Leach-Bliley Act (GLBA) All these require, in some form, a written IT secur ity policy.

4. The Security Policy Problem Simply put, security policies are not easy to creat e. The process of getting a security policy is difficult, time-consuming, and expensive. Companies typically have two choices:

1) Hire a security professional to write a custom poli cy for your organization.

2) Try to write your own using resources found on the Internet or purchased guides. Number one is an expensive proposition – it can cos t tens of thousands of dollars, depending on the complexity and number of policies, and take a great deal of time. Number two is impractical – it would take weeks, if not months, of painstaking work to cobble together a policy that will likely not be completely appropriate for your company. These two reasons deter most security pol icy projects before they start.

Additionally, the process of getting a security pol icy is confusing. As an example, different security policy experts recommend that a policy have the following components: standards, guidelines, position stateme nts, guiding principles, rules, procedures, and lastly, policies. This jumble of “ consultant-speak” is confusing at best, and does not result in a useful management to ol.

To be effective, a security policy must be clear an d consistent. As important, a security policy should fit into your existing busin ess structure and not mandate a complete, ground-up change to how your business ope rates. More information can be found in the Policy Implementation section of this guide.

5. What a Policy Should Cover A security policy must be written so that it can be understood by its target audience (which should be clearly identified in the document ). For example, technical policies can, by nature, be more technical than policies int ended for users, which should be written in everyday language. At no point should a security policy use confusing or obscure legal terms. © InstantSecurityPolicy.com Page 6 A security policy should allow no room for misunderstanding. There must be a universal understanding of the policy and consisten t application of security principles across the company.

A security policy should have, at minimum, the foll owing sections.

· Overview: Provides background information on the is sue that the policy will address.

· Purpose: Specifies why the policy is needed.

· Scope: Lays out exactly who and what the policy cov ers.

· Target Audience: Advises for whom the policy is int ended.

· Policies: This is the main section of the document, and provides statements on each aspect of the policy. For example, an Accepta ble Use Policy might have individual policy statements relating to Internet u se, email use, software installation, network access from home computers, e tc.

· Definitions: For clarity, any technical terms shoul d be defined.

· Version: To ensure consistent use and application o f the policy, include a version number that is changed to reflect any chang es/updates to the policy.

6. Types of Policies Different companies will need different policies fo r effective security management. Below is a list of standard policies that would mak e up an organization’s security policy. Some companies may need all these policies , while others need only a handful.

That said, certain policies can reasonably consider ed “essential” to security management and are applicable to most every company . These are denoted below with an asterisk.

Acceptable Use Policy* Authentication Policy* Backup Policy* Confidential Data Policy* Data Classification Policy Encryption Policy Email Policy Guest Access Policy Incident Response Policy* ‘Mobile Device Policy Network Access Policy* Network Security policy* Outsourcing Policy Password Policy* Physical Security policy Remote Access Policy © InstantSecurityPolicy.com Page 7 Retention Policy Third Party Connection Policy VPN Policy Wireless Access Policy 7. Policy Content When developing content, many go about creating a p olicy exactly the wrong way. The goal is not to create hundreds of pages of impr essive-looking information, but rather to create an actionable security plan. The following guidelines apply to the content of successful IT security policies.

· A security policy should be no longer than is absol utely necessary. Some believe that policies are more impressive when they fill enormous binders, or contain hundreds or even thousands of policies. Th ese types of policies overwhelm you with data, and are frequently adverti sed on the internet. But quantity does not equal quality, and it is the shee r amount of information in those policies that makes them useless. Brevity is of the utmost importance.

· A security policy should be written in “plain Engli sh.” While, by nature, technical topics will be covered, it is important t hat the policy be clear and understood by the target audience for that particul ar policy. There is never room for “consultant-speak” in a security policy. If there is a doubt, the policy should be written so that more people can un derstand it rather than fewer. Clarity must be a priority in security poli cies, so that a policy isn’t misunderstood during a crisis, or otherwise misappl ied, which could lead to a critical vulnerability.

· A security policy must be consistent with applicabl e laws and regulations. In some countries there are laws that apply to a compa ny’s security practices, such as those covering the use of encryption. Some states have specific disclosure laws or regulations governing the protec tion of citizens’ personal information, and some industries have regulations g overning security policies. It is recommended that you research and become fami liar with any regulations or standards that apply to your company’s security controls.

· A security policy should be reasonable. The point of this process is to create a policy that you can actually use rather than one th at makes your company secure on paper but is impossible to implement. Ke ep in mind that the more secure a policy is, the greater the burden it place s on your users and IT staff to comply. Find a middle ground in the balance betwee n security and usability that will work for you.

· A security policy must be enforceable.

A policy should clearly state what actions are permitted and what actions are in viola tion of the policy. Further, © InstantSecurityPolicy.com Page 8 the policy should spell out enforcement options when non-compliance or violations are discovered, and must be consistent w ith applicable laws.

A security policy can be formatted to be consistent with your company’s internal documentation; however certain information should b e placed on each page of the policy. At a minimum, this information should incl ude: policy name, creation date, target audience, and a clear designation that the p olicy is company confidential.

8. Policy Implementation Once you’ve created your policy, perhaps the hardes t part of the process is rolling it out to your organization. Too many well-intentione d projects lose steam in this phase, so this step must be well planned and undert aken thoughtfully.

First, and most importantly, a security policy must be backed by your company’s senior management team. Without their support, the cooperation needed across departments will likely doom the implementation. D epartment heads must be involved, and specifically, Human Resources and Leg al Services must play an integral part. Make sure you have management buy-i n before you get too far along in the process.

If the position doesn’t already exist, an Informati on Security Officer or IT Security Program Manager should be designated at your compan y who is responsible for implementing and managing the security policy. Thi s can be an existing manager. This designation is sometimes not practical at smal ler companies, but regardless, one person, who has the authority to make executive dec isions, needs to own and be accountable for your company’s security policy.

Remember that your security policy must be official ly adopted as company policy. It should be signed off on and recorded in the same wa y your company makes any major decision, including full senior management ap proval.

Next, go through each policy and think about how it will be applied within the organization. Make sure that the tools are in plac e to conform to the policy. For example, if the policy specifies that a certain net work be monitored, make sure that monitoring capabilities exist on that network segme nt. If a policy specifies that visitors must agree to the Acceptable Use Policy be fore using the network, make sure that there is a process in place to provide visitor s with the Acceptable Use Policy. In this phase, if you discover something impractical, create a plan to make appropriate changes to either the network or the policy. Understand that policies differ from processes and procedures. You will need to carefully consider the necessary security processes and procedures after you have your policy finished. For example, the Backup Poli cy may detail the schedules for © InstantSecurityPolicy.com Page 9 backups and off-site rotation of backup media, however it won’t say exactly how these tasks are to be accomplished. Additionally, certain procedures must be created to support the policies. For example, how should your users respond if they susp ect a security incident? How will you notify your users if they are noncompliant with a specific policy? How will exemptions to the policy be requested and approved? Work with the necessary departments within your company (Legal, IT, HR, etc .) to establish procedures to support your policies. User education is critical to a successful security policy implementation. A training session should be held to go over the policies that will impact users, as well as provide basic information security awareness traini ng. Often, users create security issues because they simply don’t understand that wh at they are doing is risky or against the security policy.

Users must be provided any user-level policies, and must acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this with Human Resources so that the policies can be include d with any other HR documents that require a user signature. No matter how well implemented, no policy will be 1 00% applicable for every scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing and must be well documented . It should be made clear from the outset that the policy is the official company standard, and an exception will only be granted when there is an overwhelming business n eed to do so. 9. Policy Review After the security policy has been in place for som e period of time - which can be anywhere from three months to a year, depending on your company - the company’s information security controls should be audited aga inst the applicable policies. Make sure that each policy is being followed as intended and is still appropriate to the situation. If discrepancies are found, or the poli cies are no longer applicable as written, they must be change to fit your company’s current requirements. After the initial review process, you should regula rly review the security policy to ensure that it still meets your company’s requireme nts. Create a process so that the policy is periodically reviewed by the appropriate persons. This should occur both at certain intervals (i.e., once per year), and when c ertain business changes occur (i.e., the company opens a new location). This will ensur e that the policy does not get “stale” and will continue to be a useful management tool for years to come.

When changes need to be made, be sure to A) update the revision history section of the document to differentiate the new document from past versions; and B) distribute © InstantSecurityPolicy.com Page 10 any modified user-level policies to your users. Clearly communicate the policy changes to any affected parties.

10. Summary The most useful security policies share two charact eristics: 1) they are an accurate reflection of a company’s security strategy and, 2) they provide realistic and attainable security goals. A security policy shoul d never simply be dictated by what is pre-written in a downloaded template – it needs to be specific to your company. The challenging part is often finding a way to acco mplish these goals without devoting a huge amount of time and/or money to the effort. Recognize that a security policy should not be crea ted and then shelved for eternity, but rather actively consulted throughout your compa ny’s organization. By incorporating your custom security policy into your company’s management process, it is possible to both meet applicable regulations and enjoy risk reduction for years to come.

About InstantSecurityPolicy.com InstantSecurityPolicy.com is the only provider of o nline, customized, instant IT security policies in the world. Since its launch in 2008, th e site has helped hundreds of companies from across the globe to cost effectively address t heir security policy needs. Policies developed by InstantSecurityPolicy.com assist a div erse customer base to fulfill industry regulations, provide security documentation for aud its, and act as a security handbook.

Visit www.InstantSecurityPolicy.com for more information on how to obtain a professional, custom security policy in minutes. InstantSecurityPolicy.com 888-764-4610 toll free 100 Capitola Drive, Suite 250 919-998-8383 international Durham, NC 27713 [email protected]

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!