Having good IT security policies have become one of the most critical elements of any security program. A good policy should have a specific set of guidelines, procedures, and standards for any users who access any computer resource to follow. It will also make sure that all users of adhering to the requirements of protecting the confidentiality, integrity, and availability of computer resources. A detail security policy and the program can also help an organization out in the event of an audit, security violation, and justification for employee termination.
A good security policy should consist of the following elements:
- Clearly communicates the requirements and consists of concise and realistic information.
- Have a detailed scope (beware of scope creep)
- Be accessible to all users
- Clearly, state the areas of responsibility and their role; not to exclude, management, administrators, and users of the computer resources.
- Identifies how incidents will be handled, documented, and communicated
- Provide guidance on specific procedures and requirements
- Be enforceable
It takes many people within an organization to write a policy. The creation of these documents will require management, security officers, IT administrators, and another key person in order to construct the security policies. The security policy will need to be constructed around the security vision of the organization.
Listed below are a few types of enterprise security policies that organizations will need to distribute as guidelines and procedures to their employees are (high-level overview listed below):
|Acceptable Use Policy (AUP)||A policy for how employees will utilize enterprise resources, applications, and equipment. Before any employee or user on the network is granted access, they should sign and acknowledge the acceptable use policy. The acceptable use policy should be very detail and should clearly explain any repercussions for blatant disregards to the requirements.|
|Planning Policies||Organizations should have policies in place for a disaster and by having a Disaster Recovery Plan and Business Continuity Plan in place it will make recovery efforts go more smoothly. When making plans for disaster recovery and business continuity there are two other main policies that and organization will also need to consider:
1. Back and restore policies should include:
o guidelines and procedures on how data is to be backed up, stored, and restored (the type of equipment that will be used will need to be stated).
o Back-up schedule
o Checking of log files and rotations
2. Incident Response Policy determines what actions an organization will take in the event of a confirmed or potential security breach.
|Security Policies||General security policies are composed of formalized statements that define how security will be implemented within a particular organization. These security policies will state how the organization will protect the confidentiality, integrity, and availability of sensitive information and its resources. The implementation of such policies should extend to physical environments as well as application.|
|Remote Access Policies||Guidelines and procedures should be in place for any device that connects remotely to the network. This policy should be extremely specific on the type of connections that will be made, how authentication will occur, and the requirements for any of the devices allow for remote access. Other items that should be included within this policy are:
1. Antivirus software requirements
2. The disabling of file sharing
3. The ability to push policies to the device
4. The use of multi-factor authentication
|Wireless Security Policies||This policy will depict the guidelines and requirements when using the organizations’ enterprise wireless network. The details of this policy should include, device, secure connection, and authentication requirements.|
|Password Policies||A good password policy depicts details requirements for password usage. The password guideline should explain in detail what is considered a strong password and a weak password. This policy should also explain how to keep those passwords secured.|
|PHYSICAL SECURITY POLICY||This policy should explain how to keep physical access points secured and what methods are required to be in place in order to secure, control, and monitor those points.|
|NETWORK POLICY||Network policies define how the network functions and establishes expectations for users, staff, IT personnel, and management. It also describes in great detail the acceptable use of the network equipment, troubleshooting, and network management. Policies should also be in place for the following:
3. External devices such as thumb drives
4. Instant messaging
8. Vendor Agreements
9. Network Monitoring
10. Network Maintenance
|INTERNET POLICY||This policy should explain in detail what IP address and content are allowed and what site is not. Within this policy, it should describe how all activity will be monitored mainly since the internet is the gateway in which vulnerability is exhibited.|
|Email Policy||An effective email policy is a must as Trojans, worms, and viruses can email as a vehicle to travel across the internet. This policy needs to clearly explain what users are to do when they encounter a suspicious email and what they look like. It will also need to state that emails sent to personal email accounts will be scanned and sent at the discretion of the organization depending on the content.|
|AUDIT POLICY||This policy describes the requirements and parameters for any risk assessments and audits involving the organizations. The persons responsible for performing those audits will also need to be stated.|
|CHANGE MANAGEMENT POLICY||This policy states how changes will be documented. The policy will need to increase awareness of any proposed changes to the physical and logical environment in order to minimize the possible negative impact on the customers and services.|
One of the most important parts of a policy is how it will be enforced. If users realize that the policies, guidelines, and procedure that are put in place within the organization can be broken without repercussion then violations will occur more frequently. This practice can be damaging to the infrastructure. Repercussions for blatant disregard to policies, depending on how severe, should be met with either a warning or employee termination. For example, if you have detailed acceptable use policy that requires each employee to sign every year in the place which discusses the importance of never sharing your username and password and employee X has his log on information posted on the board in his office…what then.
In order for a security program to be successful, an organization will need to have a designated Information System Security Officer and Chief Information Officer. They will need to have the primary authority issued by senior management to perform audits and enforce the security policies. Senior management should not intervene with these audits and enforcements as it may be disastrous to the effectiveness of the policies.
What are your thought and what other policies and documentation do you think should be required within organizations?