Security policies and supporting documentation

Cybersecurity is an important issue for both IT departments and C-level executives. However, security should be a concern for each employee in an organisation, not only IT professionals and top managers. 

Employees are often the weak links in an organisation's security.  Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and don't encrypt sensitive files.  An effective way to educate employees on the importance of security is through cybersecurity policies that explain each person's responsibilities for protecting the organisation's IT systems and data. These cybersecurity policies set the standards of behaviour.  They are important because cyberattacks and data breaches are potentially costly. 

Information Security Policies are an essential administrative security control designed to avoid, counteract or minimise IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organisations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.

Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

Many organisations use the term policy, standard and procedure interchangeably but they are designed for different target audiences within the business.   Together they form the concept of an Information Security Policy framework.  This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it.  The purpose of each document is as follows:

• Policy – Information Security Policy is a comprehensive statement made by the organisation's senior management, indicating the role of security in the organisation. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.
• Standards - mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.
• Procedures - detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.  Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.
• Guidelines - describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.
• Baselines - uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.

Most organisations are familiar with basic policies such as a Disaster Recovery Policy, Data Backup Policy, or Risk Assessment Policy, but there are other must-have information security policies that organisations should be implementing. The point of having extensive policies in place is to provide clarity for your employees, direction for proper security procedures, and proof that you’re doing your due diligence to protect your organisation against security threats. Below is a list of must-have information security policies and procedures:

1. Acceptable Encryption and Key Management Policy
2. Acceptable Use Policy
3. Clean Desk Policy
4. Data Breach Response Policy
5. Disaster Recovery Plan Policy
6. Personnel Security Policy
7. Data Backup Policy
8. User Identification, Authentication, and Authorisation Policy
9. Incident Response Policy
10. End User Encryption Key Protection Policy
11. Risk Assessment Standards and Procedures
12. Remote Access Policy
13. Secure Systems Management Policy
14. Monitoring and Logging Policy
15. Change Management Policy

When you engage in a gap analysis with Adapt Cybersecurity, the auditor assigned to work with your organisation determines if there are any gaps in your information security structure. Often, we find organisations are missing policies that give structure to their information security plan. After completing a gap analysis, we will develop customised policies to help you meet your specific compliance requirements. 

Contact us if you are looking to develop strong policies and procedures or have further questions about how we can help you to meet your compliance goals.