One of the cornerstones of security is policy and as much as most of us dislike writing them, without them we are all pretty much floundering around. So todays tips relate to developing and distributing policies.
Well get the basics out of the way. Why do we need policies? Policies outline the dos and donts for the organisations. Staff and management both know where they stand in relation to important issues. Policies also help modify behaviour, people are surfing for porn, you put a policy in place to help modify that behaviour.
So what do we need? These are the few of the duh points, but important nonetheless:
Make sure you have senior management support.
Write SMART policies. Specific, Measurable, Achievable, Realistic, Time based policies
Keep the audience in mind when writing policies.
If it doesnt have the word MUST in it maybe move it to a guideline or standard. Or in other words keep policies as policies, guidelines as guidelines and procedures as procedures. Youll only confuse the message if you mix them.
Make sure you have a compliance statement, people need to know what happens if the policy is not followed.
Make sure it is available to everyone
Regularly review the policy
Get legal to check them out.
Collaborate with stakeholders in developing the policy.
Make sure you cover items of specific risk in the organisation
Make sure the policy is in line with the corporate objectives and overall security posture
Get people to sign that they have read and understood the polices.
Reinforce the message regularly
After writing the polices you will need to make sure it is disseminated. There have been plenty of examples over the years where people have been sacked and then re-instated because of weak or policies that werent enforced or enforced inconsistently. The traditional methods are publishing on the intranet, as part of the induction process, document management systems, etc. A good idea is to develop a quiz which must be taken by staff. That way the lessons are reinforced and you have a register of who has read and understood the policy.
So which polices do you need? It depends on the organisation and if you are working to standards like ISO/IEC 27001, or SOX, etc. The basic ones I think you should consider are:
Information security policy
Acceptable usage policy (make sure you cover internet and email usage)
Remote access
Access control policy
Information Classification Policy
Thats a quick start to the day, send in tips for disseminating policies, reinforcing the message, some good practices and the bad.
Cheers
Mark H - Shearwater
More...
Breakout Champion!
Linear Mode
