INFORMATION SECURITY POLICY - Information Security A Practical Guide: Bridging the gap between IT and management (2015)

Information Security A Practical Guide: Bridging the gap between IT and management (2015)

CHAPTER 10. INFORMATION SECURITY POLICY

Chapter Overview

This chapter introduces the topic of security policies, explaining their importance giving you a baseline from which to build a strong foundation. If you are looking to attain ISO27001 certification then you will need to produce security policies to form your information security management system (ISMS). This chapter is not intended to advise you on how to achieve this level of maturity, but give you an appreciation for why these policies exist and how they can be used to achieve your organisation’s goals and objectives.

It is important that security policies are created in line with the organisation’s culture; they should be an enabler, not a hindrance to staff. For example, if staff need to use laptops as part of their jobs then the policies should define their behaviour so that staff know what they can and cannot do, and so that they know how to use the laptops in a safe manner. What the policies should not do is impose so many rules that staff stop using laptops and taking advantage of mobile working. It is about striking a balance and achieving a level of protection suitable to the risks involved.

In this chapter I explain some of the advantages of good security policies, which will help you justify to the business the policies you identify a requirement for. I also describe how policies should be laid out and some of the key terms and words that should be used. I then explain how to make sure your policies are effective and are followed, or as I like to say, giving your policy teeth! Finally, I describe some of the key basic policies I believe all organisations should have.

Objectives

In this chapter you will learn the following:

• The benefits of security policies

• Key or baseline security policies

• How a policy should be presented

• Ways to ensure your policies are read

• Giving your policies teeth.

The Advantages of Security Policies

The advantages of security policies are typically very much the same as any other policy only they come with the aim of maintaining the organisation’s security.

The first advantage is that the policy informs staff what is expected of them. When staff are given access to a new system or piece of equipment they should also be provided with a copy (or provided a link to an intranet page) of the policy that applies. You should seek their agreement that they understand the policy and that they will follow it. By doing so you will have confidence that the system or device will be used as expected.

When using a system or a device staff often face the same reoccurring questions and points where they need to make a decision. An example I often encounter is when our staff visit a conference and are given the slide deck on a USB pen; they often ask if they are allowed to plug this into their desktop and whether they are allowed to copy data for the device. By creating a policy and making staff aware of the policy, staff can answer many of their questions by referring to the policy.

In larger organisations it is important to ensure a consistent approach, especially when large company networks are involved. A malware infection could quickly spread from PC to PC or destroy data on shared network drives. By producing clear and concise policies we can ensure our staff follow the same standard security practices.

When new staff join the organisation it is important to bring them up to speed as quickly as possible. Often they will have become used to a previous working culture and it will take them time to adapt. By documenting the security policies not only can you bring them up to speed quickly but they also have a point of reference to make sure they are following your practices.

The final advantage is one of liability, not just for the company but also for staff. If a member of staff consistently fails to follow the rules set out in a policy, this can be used for grounds for disciplinary action. If the policies are not documented, you will find it extremely difficult to ensure a consistent way of working is being followed by all staff. Conversely, if a member of staff follows the rules set out in a policy and there is a security breach then they can defend their actions by showing that they followed the policy. A member of staff cannot be reasonably punished if they followed the rules set.

Identifying What Policies You Need

Later in this chapter I describe some of the more common security policies that you’ll come across and will possibly need depending on your business. However, just because it seems like a good idea or because someone else has one doesn’t mean you should have the same policy. Like all security controls policies and their content, they should only be created where there is a business need for one.

Security policies should be created after carrying out a risk assessment. For example, if our business decides that all employees should have laptops then we should carry out a risk assessment looking at the risks of staff having laptops. This risk assessment will help us decide the security controls needed, which will then help form the security policy for using a laptop.

How a Policy Should be Written

When writing policies it is important to keep them to the point and ensure your instructions are clear and easy to understand. Note that a policy describes what must be done but typically not how it should be done; that level of detail would exist in a security operating procedure. I recommend using the following key terms: Must, Should and Will not. This is similar to the MoSCoW method that adds the additional term of Could.

Must describes something that must be done. For example, staff must wear their ID passes at all times.

Should describes something that is highly desirable. For example, when using a laptop in a company place you should be aware of anyone trying to shoulder surf.

Won’t describes something that must not be done, which can be written as ‘will not’ if it makes for better reading. An example could be staff will not leave laptops unattended in public places.

Giving Your Policies Teeth

It doesn’t matter how reasonable or pragmatic your policies are, there will be those people who will not follow the rules laid out in them. Either they see the rules as excessive or don’t fully understand the risks (or don’t take the time to understand them). Luckily these instances are few and far between, but you must ensure your policy is obeyed. This is best achieved by there being some sort of disciplinary action taken should a policy not be followed. This is often referred to as a policy breach.

You will probably find that it is not within your power to define what disciplinary action should be carried out if a policy is breached. However, by now you should have built a good relationship with management (Chapter 1) and they would have been involved with the risk assessment. Because of this they will have helped you define the impact on the business should the policy rules be breached. What this means is that they have some appetite in ensuring the policy is enforced and to what level that enforcement is carried out. Some suggestions for ensuring compliance with the policy are as follows:

• Employee is given a reminder of the policy rules, which can be done verbally but I recommend following this up in writing (email) and possibly copying their line manager. This will ensure you have a record if continued non-compliance continues.

• Withdrawal of company privileges: this could be the withdrawn use of a company car park or maybe an iPad. The point being made is that the staff member can no longer be trusted to use the asset securely, therefore they can no longer use it at all.

• Formal warning: the employee is formally warned, which needs to be done in line with human resources and any formal policy they have for managing this process.

• Finally, and this really should be a last resort and reserved for only the most severe breaches, termination of contract.

To successfully implement these penalties you need management approval and possibly the board and human resources to agree.

Key Security Policies

The next section seems contradictory based on my previous statement about policies coming from risk assessments and that you shouldn’t just copy what someone else is doing. However, I want to describe the more common policies and mention the key elements that they maintain. Think of this as more of a starting point to be considered rather than a foundation for the creation policies.

Remember that good policies are created based on risk management: if there are no risks then you don’t need to create a policy.

IT Usage

The IT usage policy (or computer usage) is the keystone of all computer-related policies. It sets the foundation for the other policies that you may decide to implement and shapes the way your organisation works with IT. Some key points that this policy may include are:

• PC locked when unattended

• Complex password used and not written down

• Rules on plugging in USB devices

• Rules on plugging devices into the network

• Do not share account credentials.

Email Usage

The email usage policy is another key policy if your staff have access to email. Email is a useful tool in business and can help people to collaborate, so it is important that any policy isn’t too prohibitive. Some key points are:

• Can email be used for personal use?

• Is the use of personal email allowed during lunch times?

• What can be sent or discussed in email and what can’t?

• Do emails require a protective marking in the subject line?

Internet Usage

Much the same as email, the Internet is an extremely useful asset to any business. Responsible use of the Internet should be encouraged. As such the policy should be written in much the same way. Staff should know what the conditions of use are so that they can feel confident they aren’t breaking policy. Some policy rules that you may want to consider include:

• What websites are prohibited?

• Can the Internet be used for personal use?

• Is Internet use monitored?

• Can files be downloaded from the Internet? What about executables?

Laptop Usage

Laptops are becoming the preferred platform for staff, slowly replacing desktop PCs. They are now offering similar performance but with much more flexibility in terms of location, and it is this flexibility that poses the most risk. Most work office environments are secure but a laptop can be used anywhere – a pub or a train for example. The size of a laptop makes it very easy to steal or its public use could allow someone else to read the screen. Some policy points to consider are:

• Where can the laptop be used?

• Does it need to be secured physically?

• Where should it be stored when not in use?

• What do you need to do if it’s lost or stolen?

Ways of Ensuring Your Policy is Read

Having your policy read can often be very challenging. A very descriptive and well-written document can become very long and put people off reading it, or even worse force them to skim-read it and miss important points.

Two common ways of encouraging a policy to be read are to have a reward, for example a prize draw, or a quiz that offers a prize for those who answer the most questions. The problem with these is that policies are constantly changing and evolving to meet business needs, so having a quiz and a prize are impractical. Additionally, people will read the policy only to win a prize rather than seeing the value of the policy and following its instruction. Some better ways include the following:

Allow people to be actively involved in the review and creation of the policy. Getting user feedback on what works and what rules are impractical will help you fine-tune the policy. People will be better engaged and more likely to follow the rules that they shape.

Produce a 60-second guide. Make a very succinct set of policy rules with reasoning or explanation removed. This will be useful to those who want a refresher or are in a hurry. If people know they can read the entire policy quickly then they are more likely to read it cover to cover. If they don’t understand some of the rules or wish to challenge them then the full policy can then be referred to for clarification.

Questions and answers. When you publish a policy you will encounter lots of questions from staff members, and often these questions are the same. You may find it useful to hold questions and answers meetings and allow people to personally ask questions about the rules. These sessions can then be documented and shared with people who need to follow the policy. They allow people to engage better with the policy and further understand it, which in turn motivates them to read the policy document.