Companies the world over are becoming increasingly aware of the existence of security threats and the need to guard against them. The foundation for addressing these threats is a clear set of security policies and standards. Knowing that security policies and standards are needed is good, but knowing what to put in them is vital.
The actual corporate security policy, as an aspect of the overall security documents is a relatively short and tightly focused document. Its purpose is to define the company's stance in regards to IT security, not to specify the what, how, and why of the application of the security. The following is an inclusive list of the topics that should be addressed in a security policy:
Purpose. A broad statement indicating that the company is taking steps to ensure that its computing resources and information assets are protected from threats.
Intent. More specific statements about the existence of the policy that indicate the motivation and rationale behind the creation and enforcement of the policy.
Audience. A defined statement of the applicability of the policy – the combination of to whom and the circumstances under which it does or does not apply.
Responsibilities. Statements about the roles of the employees, management, and security staff in upholding the policy and enforcing security.
Management. A broad set of statements indicating who will manage security, how it will be managed, and the oversight that will be used in its management.
Revision. Statements indicating the circumstances and timeframes under which the policy will be reviewed and revised to ensure its accuracy and currency.
Enforcement. Direction on how the policy will be enforced as well as an indication of the actions that may be taken in the event of a violation.
Companies have a legal obligation to ensure that they have taken due care in protecting information assets. Not having a security policy is a sure-fire way of failing to meet the due care requirement.
Security standards are broader in scope than policy, so the document set will be larger. Standards define what the enterprise will do to ensure that its information assets and computing resources are secure. Standards do not define how this will be achieved (i.e. specific configurations belong to baselines and step-by-step processes belong to procedures), but are vital nonetheless. The following is a suggested list of the topics that are to be addressed in a set of standards. An inclusive list cannot be provided due to the variability between enterprises:
Systems configuration. Broadly specifying how the various systems of the enterprise will be protected (e.g. use of DMZ's, anti-malware tools, etc.). This section covers everything from workstations to home networks, and actual security tools.
Asset classification. Identification of the asset classification schemas (for systems and data) that will be used. A small but important standard that is used to define the relative value of the data and devices the enterprise owns.
Access control. Indication of the various access control methods (e.g. passwords, tokens, etc.) that will be used, and the circumstances surrounding their use. It is here that passwords are discussed as well as access rights to networks, systems and data.
Asset management. The manner in which assets (e.g. systems and data) will be managed on a day-to-day basis for the purposes of maintaining security. This is another broad area that touches on issues such as the movement of hardware, the storage of hardcopy data, and the safe disposal of equipment.
Acceptable usage. The restrictions that are placed on the use of the company's assets to minimize the occurrence of intentional and inadvertent threats. Generally the most common security document, it lists the things that employees can and cannot do with company assets. It can also be extended to partners and clients.
Training and awareness. Indication of the intent to educate employees to make them aware of potential information attacks, such as social engineering. A short but important standard that defines the security training regimen and its value.
Physical security. The physical controls that are used to protect enterprise assets (including its employees). This covers topics ranging from clean-desk policies to issues such as parking lot lighting and data center access.
For a sample table of contents on security standards, use the McLean Report "Security Standards Policy Table of Contents" template. Though this sample is quite comprehensive, it is not exhaustive. It should be used as a guide only and be modified to fit the needs of the individual enterprise.
Unlike policies, no legal obligation exists for having standards. However, their creation is necessary to ensure that required baselines and procedures are developed and that the development occurs in an appropriate manner.
Don't be worried by the thought of writing security documents. When it comes to security policy, creation can be quick and relatively painless. Ensure that the company has a policy to protect it from legal proceedings, and do so now.
Make certain to address all aspects of the enterprise. When it is time to write the security standards, they must be all-encompassing. If an aspect of the enterprise is not addressed, it has the potential to undermine the enterprise's entire security system.
Start broad, then go deep. Policy and standards are very different from baselines and procedures. Don't deep dive into specific configurations and step-by-step guides at this point. It's more important to address everything broadly rather than deal with only a few items deeply.
Creation can take time – don't rush the process. While writing policy can be relatively quick, writing standards is a lengthy process. Be prepared for this, and allocate sufficient resources and ample time rather than cutting corners and skipping systems.
When in doubt, call in an expert. Outside assistance can dramatically reduce time required. It does not matter whether the expertise comes from a consultant or from a set of generic policy and standards statements. Expert assistance brings prewritten generic policies than need only be adapted to the enterprise rather than being created from scratch.
Security documents are vital to ensuring that enterprise resources and information assets are appropriately protected. However, unless these documents are crafted correctly, the protection that they seek to provide can be compromised.
