Building and administering a security programme is a long-term commitment that most firms make as their business grows. Working with companies where there were no guidelines for how assets or networks were utilised by employees has been a learning experience for me. I’ve also worked for well-established firms where every area of information technology and cybersecurity was meticulously managed. The goal is to develop a happy medium in which firms can responsibly manage the risks associated with the types of technology that they choose to implement and implement responsibly.
When laying the groundwork for a security programme, most businesses will first appoint a member of staff who will be responsible for cybersecurity. It will be this person who will initiate the process of developing a plan to manage the risk of their organisation through the use of security technologies, auditable work processes, and written rules and procedures.
Policies and processes such as the ones listed below will be required by a mature security programme:
1. Acceptable Use Policy (AUP)
An acceptable use policy (AUP) specifies the restrictions and practises that an employee who uses organisational information technology assets must agree to in order to have access to the corporate network or the internet. It is usual practise for new workers to be subjected to this policy during their orientation. Before being awarded a network ID, they are required to read and sign an Acceptable Use Policy. It is advised that enterprises’ information technology, security, legal, and human resources departments meet to discuss the contents of this policy. On the SANS website, you can find an example that is available for fair use.
2. Access Control Policy (ACP)
With reference to an organization’s data and information systems, the ACP describes the access levels that employees have to these resources. Many access control standards, such as those published by the National Institute of Standards and Technology, and implementation guides, are often covered in an access control policy. Aside from that, this policy addresses issues such as standards for user access management, network access control management, operating system software management and the difficulty of corporate passwords. Some of the more common extra items discussed are techniques for monitoring how corporate systems are accessed and used, how unattended workstations should be secured, and how access should be withdrawn when an individual departs the firm. IAPP has a fantastic example of this type of policy, which you can find here.
3. Change Management Policy
While it comes to information technology, software development, and security services and operations, a change management policy refers to a systematic process that must be followed when making changes. The purpose of a change management programme is to raise awareness and knowledge of planned changes throughout a company, as well as to ensure that all changes are carried out in a methodical manner in order to minimise any negative impact on services and customer satisfaction. SANS Institute provides a solid example of an IT change management policy that is available for fair use.
4. Information Security Policy
The information security policies of an organisation are typically high-level regulations that can cover a wide range of security measures in an organisation. When a corporation issues a primary information security policy, it is doing so to ensure that all employees who use information technology assets throughout the organisation, or on its networks, adhere to the policies and principles set forth in the policy. Employees have been asked to sign this document in order to acknowledge that they have read it, which I have observed in some firms (which is generally done with the signing of the AUP policy). This policy is intended to make employees aware that there are rules under which they will be held accountable when it comes to the sensitivity of company information and information technology assets (IT assets). State of Illinois’ cybersecurity policy, which is accessible for download, is a great example of what could be done in this area.
5. Incident Response (IR) Policy
The incident response policy is a methodical approach to how the organisation will manage an incident and mitigate the impact on operations. It is written in plain English. One policy that all CISOs hope they will never have to implement. The purpose of this policy, on the other hand, is to explain the process of dealing with an event in order to limit the harm to business operations and consumers, as well as to reduce recovery time and costs. An example of a high-level information security plan is provided by Carnegie Mellon University, and SANS provides a plan that is tailored to data breaches.
6. Remote Access Policy
It is a policy document that discusses and defines permitted means of connecting to an organization’s internal networks from outside the organisation. I’ve also seen this policy include addendums with regulations for the usage of BYOD assets, which I thought was a nice touch. For enterprises that have dispersed networks with the capability of expanding into insecure network locations, such as the local coffee shop or unmanaged home networks, this strategy is a need. SANS provides an example of a remote access policy, which may be found here.
7. Email/Communication Policy
A company’s email policy is a document that is used to formally explain how employees can communicate with the company using the electronic communication medium of their choice (in this case, email). This policy, according to what I’ve read, covers email, blogs, social media, and chat technology. One of the key objectives of this policy is to provide recommendations to employees regarding what constitutes acceptable and inappropriate usage of any business communication technology. SANS provides an example of an email policy, which may be found here.
8. Disaster Recovery Policy
Disaster recovery plans for organisations are typically designed as part of a larger business continuity strategy that incorporates input from both cybersecurity and information technology departments. An issue shall be managed by the CISO and his or her teams in accordance with the incident response policy. The Business Continuity Plan will be implemented if the event has a major impact on the organization’s operations. SANS provides an example of a disaster recovery policy, which can be found here.
9. Business Continuity Plan (BCP)
The business continuity plan (BCP) will coordinate efforts throughout the enterprise and will use the disaster recovery plan to restore hardware, apps, and data that are deemed necessary for business continuity. Businesses have their own set of business continuity plans, which detail how the organisation will operate in the event of a disaster. FEMA and Kapnick both have examples of business continuity plans (BCPs) that firms can utilise to develop their own.
The policies and documents listed above are only a few of the fundamental parameters I follow when developing successful security initiatives. As an organisation advances and the security programme grows, a CISO will gain a plethora of new skills and responsibilities.
For those individuals who have been assigned the responsibility of developing their company’s first security policy, I would recommend two resources. The first, as previously mentioned, is the SANS Information Security Policy Templates website, which contains a large number of policies that may be downloaded. One other resource that I would recommend is an article published by CSO that provides links to rules that are tailored to specific situations such as privacy, workplace violence, and mobile phone use while driving, to mention a few.
Always remember to educate and train your personnel on your new policies and procedures. – It is critical that personnel are aware of and up to date on any changes to information technology and cybersecurity procedures.