One of the many information security challenges organizations face today is the variety of security policies they must create and follow. Most compliance requirements note the availability of policies— what they should include and how often they should be updated. Little to no information is provided, however, as to how individual policies impact or correlate to each other. Often, organizations start to question the meaning of all these policies: What are the main benefits and do they outweigh the drawbacks? Are we tormenting people reading, approving and learning the policies? Is it worth it?
Taking a top-down approach to review policy requirements, four policies stand out as the primary drivers for all information security activities within an organization. These policies answer the main questions associated with security: What do we protect? Why do we protect it? How do we protect it? How well are these policies protecting your organization?
First Things First
Before we dive into the policies themselves, there are two preconditions to make any policy work—the organizational governance to direct, supervise, and monitor the organizational activities, as well as the appropriate implementation and the associated operational processes.
Once you have committed to these responsibilities, you can develop and refine your security, starting with these key information security policies:
1) Risk Management
Every organization has a purpose. Your purpose is defined through organizational objectives, and in order to achieve them, plans are drawn and steps are taken to implement those plans. As with anything that is supposed to happen in the future, there are uncertainties which can impact your plan—either negatively or positively, towards the achievement of the objectives. Such uncertainties are called risks, and can be addressed through a process called risk management.
Risk management defines the steps necessary to identify, analyze and assess risks. You can then decide on the appropriate action to reduce the impact or probability of the risks to a level that’s deemed acceptable. You’ll also identify the steps to check if those actions are effective or if the risks factors have changed. Regardless of where the risks come from—whether it’s through a change in management or a network vulnerability to your data privacy and confidentiality—all risks should be identified in the process of risk management and are subject to acceptance or mitigation based on their probability and impact. Your risk management policy and its framework are the foundation of your organization’s security posture. This is the first policy that should be developed and implemented to ensure all other activities make sense.
2) Classification of Assets
The second policy targets identification and classification of assets to define the appropriate level of protection. Classification determines the time, effort, and money it takes to secure assets based on their value. The process should also determine how each asset impacts your operations and may include financial implications, reputational damage, or loss of business opportunities. The higher the impact associated with the asset, the more thorough the risk analysis should be and the more protection it will need. Without the Classification of Assets Policy, you would have a difficult time prioritizing your protection efforts.
3) Information Systems Security
The Information Systems Security Policy is typically the main security policy required by organizations. It defines which security controls should be executed for various information systems. Information systems security should be comprehensive, covering a wide range of topics— physical security, access management, network security, encryption, and security within the development lifecycle, for instance. Your document should be frequently reviewed and updated to reflect the mitigation efforts for new risks that arise. And you should expect your risks to evolve, since you’re likely to make changes to your technology or update your business services. The Systems Security Policy should note ongoing updates for each control—i.e. patch management process—and address where to find specific information for each part of the policy (which offers availability for that control).
4) Information Systems Assessment and Authorization
The fourth policy has the ability to make or break your organizational security efforts: The Information Systems Assessment and Authorization Policy. Its goal is to ensure that any new systems you put into production are properly secured and that every member of your business understands the defined standards and any deviation from those standards.
The Information Systems Assessment and Authorization Policy is considered by some to be cumbersome and unnecessary. Indeed, it takes a lot of time and effort to understand the different aspects of a planned business service, to identify what assets will be involved and their classification, and capture what controls from the Systems Security Policy are necessary for protection. The alternative, however, is to spend more time, effort, and money after your system is already in place, as you discover issues in production. Consider that your business and your customers will be affected, and that any fundamental changes will be difficult, if not impossible, to implement. The benefit of proactively launching your policy is to anticipate and address potential issues before they are discovered in the future.
To ensure transparency and hold everyone accountable, outline the individual responsibilities associated with each control within your policy and how it impacts your organization. The Information Systems Assessment and Authorization Policy links the three other policies discussed above and helps achieve positive results from all your security efforts.
You may determine that you need additional policies based on the daily activities and challenges your organization faces. The four principle policies demonstrate the Deming Cycle improvement process steps—plan, do, check, and act. When you plan for security through risk management, security controls per asset type, and then test your processes prior to exposing your systems, you develop an effective security posture.