What is Security Policy?
Every day an untold number of computers are attacked, sometimes millions of times in a second. Over the years, the companies evolved strategies for blocking these dangers. The collection of rules, guidelines, suggestions and best practices are encoded in the security policy.
Some of the rules are aimed at everyone in the company. They may insist on more than 14 characters in a password or require a second form of authentication to log in. The policy may include regulations on when the computers can be used and insist upon some simple rules about bad practices like using unsecured wifi connections for sensitive information.
Other rules run deeper and guide the teams that maintain the digital infrastructure. They govern the machines, like the servers that support the databases or the networks that carry data. They may, for instance, ensure that data is destroyed correctly when it is no longer needed.
All of these rules together form the security policy of an organization. They are the best first line of defense against all of the problems that can destroy an enterprise by corrupting the computational framework of the firm.
What are the goals of the security policy?
At the highest level, the goal is to keep the people and the organization safe and thriving. This usually involves protecting the personal information of clients and employees while guaranteeing that only the right eyes see the workflow of the enterprise.
As digital infrastructure becomes dominant, there is an increased focus on accuracy and authenticity. It’s not enough for the security policy to protect the information against snooping eyes, it must also defend it against people who want to introduce errors, often to defraud the company.
While many companies have similar goals, at least in the abstract, the details can be very different because each organization has different needs. Some businesses and government agencies want everything to be as tightly locked down as possible. They want a strict policy that prevents any unauthorized access. This is a good policy when the cost of an incursion could be catastrophic. They’re willing to work with the strictures of a very thorough policy to gain assurance against attacks.
Others are more open– to a point. A newspaper, for instance, has no concerns about people reading the published articles – indeed, they want the readership to be as broad as possible. They do want to make sure that the contents can’t be changed by a hacker. They will have a different approach than the groups that need total secrecy.
What are some parts of these policies?
Security policies continue to evolve as CSOs, CISOs and their teams add new restrictions as they grow to understand just how the malicious can abuse their systems. Here are some of the common parts that are found in many policies today:
- Password policy: What are the requirements for passwords, such as minimum length, complexity, and expiration?
- Access control policy: Who has access to what resources and data? Is the policy organized around roles?
- Incident response policy: How should incidents be handled? Who is responsible for investigating and resolving them? Is there a policy and protocol that should be implemented if a breach is discovered?
- Data security policy: How should data be stored, protected, and erased?
- Email policy: Are there corporate-wide policies of how email is to be used? Which types of messages are allowed and which types are prohibited? Are there rules about retention? Is the email scanned for potential threats and malware?
- Social media policy: How should employees use social media? What types of content they can post and what types of conversations can they have? How do they represent themselves? Is there a distinction between company affiliated posts and personal posts?
- Device usage policy: What devices can employees use for work? How those devices are to be managed.
How will the security policy be enforced?
Any policy must be applied to everyone–with a careful eye for justice and attention to the practical needs of everyone. In some cases, security policies can hamper employees and prevent them from accomplishing tasks. The team responsible should always balance the need to prevent attacks with the goal of nurturing the business.
When it’s well-designed, automation can enhance security and simplify workflows by enforcing policies at all times with precision and uniformity. Employees become familiar and the rules become second nature.
When the solution is poorly designed, perhaps because it’s erratic, inconsistent or domineering, users become frustrated when they can’t complete their jobs.
The goal is for the enforcement to disappear by being predictable and consistent.
Who is responsible for enforcing the security policy?
The simplest answer is: everyone. The systems function best when the organization can rely upon all members working together to ensure the data and the systems remain secure.
Some people have more responsibility. They guide the evolution of the policy and pay special attention to ensure it is enforced. Some organizations add titles like “chief security officer” or “chief information security officer.” These c-suite level officers have ultimate responsibility for the security of the company and they answer directly to the board of directors and to the shareholders.
Larger organizations will hire entire special teams. These may regularly audit the systems and network traffic, looking for anomalies. They can also specialize in common problems like detecting intrusions or investigating complaints from the human resource department. They may be skilled in network security or in particular areas like digital forensics.
Smaller organizations often have the same types of problems but, hopefully, at a smaller scale. When there aren’t full teams of specialists, the organization may outsource some of the work to consultants. In many cases, the smaller internal teams rapidly become experts in many aspects of security.
How is security becoming an essential feature for products?
Many software packages explicitly include features that can support a variety of security policies. Some offer basic features like password protection or integration. Others support the most demanding requirements from the military.
Many cloud services include portals that allow the security team to set policies like the amount of authentication or the timeline for document retention.
What are the consequences for violating the security policy?
In many cases, the results are minor and the consequences are few or non-existent. Many mistakes don’t lead to a loss of data or a failure of the system. People make mistakes frequently and a good security policy minimizes the damage. There are hundreds of different kinds of small violations that don’t require serious consequences.
This isn’t always the case. Sometimes a poorly crafted password can be guessed by an attacker who downloads the most crucial files for the company. Sometimes the attacker is not happy with just accessing information. Some people want to actively destroy systems for industrial plants and they use their access to trigger the worst possible events. It’s not an exaggeration to say that some violations of security policy can lead to death and massive destruction.
Security teams can use forensic analysis to establish the scope of the breach. In some cases, the incident response team can make guesses about the goals of the attacker. In others, they can establish just how much data was lost. Good forensic analysis can provide an accurate estimate of the danger so that the leadership can understand the consequences and make a good plan for mitigating the damage.
How will the security policy be reviewed and updated?
The security teams should adjust policies in two different ways. First, they should have a regular process for evaluating the rules in the policy. This might be with quarterly meetings or a standing discussion board for all team members. It should also include a way to poll all employees and gather suggestions from everyone. In many cases, it’s difficult for trained security officers to understand just how the security policy works for the rest of the workers.
Second, the team will want to respond immediately to any breach or attack and adjust the policy if it’s possible to prevent similar failures. If there’s a significant weakness, the team should not hesitate to make drastic changes– while keeping in mind the costs and inconveniences of these changes.
The reviews of the security policy should be as broad and open as possible. But this doesn’t mean sharing root passwords or the innermost secrets with everyone. It’s just that gathering reflection and opinions from all users can be time-consuming, but it can build broad support by educating the users and also ensuring that the security restrictions are appropriate and do not constrain business.
These broad reviews can also reveal weaknesses and opportunities for improving the enterprise’s approach. In some cases, the front-line teams may be the first to notice anomalies that should be changed.
What training is provided to researchers on the security policy?
There are a wide variety of companies and universities that teach courses on the best practices for securing an enterprise. Some are shorter and presented online in an asynchronous format. Others are longer and may be conducted in person at conferences or colleges. Some devote a number of years to earning advanced masters degrees or doctorates.
There are a number of online organizations that operate marketplaces with a number of providers that deliver sophisticated courses.
An important cornerstone of much security training leads to certificates like the Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO) or Certified Information Security Manager (CISM). These highly specialized courses involve in-depth coursework followed by exams,
Many platforms also offer their own focused courses. The cloud platforms like Amazon Web Services or Microsoft Azure offer their own courses on how to ensure that their customers use the best practices.
How are systems monitored to ensure compliance with the security policy?
IT teams can rely upon a broad collection of tools to monitor their networks and machines for any signs of a failure in security policy. Many are automated and integrated with other software packages to watch over all activities. They generate reports with recent data for the IT teams.
Some investigators rely upon audits, both planned or surprised, to uncover problems or violations. Digital forensics tools can examine the log records and internal files of computer systems and these investigations can reveal when and how the policy failed.
What procedures are in place for handling security incidents?
A security policy usually includes a section that guides how an organization responds to any breach or attack. These may include shutting down networks, stopping services or restricting access.
Investigating the scope of the security failure is essential. Some businesses have regulatory requirements to notify governments, employees or users if their data is exposed. The team can also use the instigation to close holes and adjust the policy to prevent reoccurrence.
Several tools for digital forensics can help search computers for clues or digital footprints that might be left behind. Specialized DFIR tools like Autopsy, Cyber Triage, and things found here will be useful.
Larger organizations maintain teams demoted to DFIR (digital forensics incident response). Some of the largest separate the workload, so some concentrate on forensic examination while others specialize in responding immediately to any breach or security policy violation.
What are the key takeaways for teams writing a security policy?
Be clear. The best policies are understood by everyone.
Balance the needs with the dangers. Not every organization needs the highest grade of security. Remember the costs as well as the benefits.
Build internal talent in digital forensics. The field can uncover the extent of problems and provide an accurate metric of damages. This helps leadership make balanced decisions.
Revisit the policies regularly. A solid process for watching for problems and re-evaluating the scope of the policies can help the enterprise grow safely and securely.