IT Security Policies - What We Expect From You

IT Security Policies

What We Expect From You

Rocco Gagliardi
by Rocco Gagliardi
on February 06, 2020
time to read: 6 minutes

Keypoints

What you can expect from IT Security Policies

  • Security policies are for all employees
  • They are essential for good security posture
  • And they must be reasonable and clear

During our review, we request a set of IT Security Policies (SP) for compliancy analysis. Although many of our customers have, at least a part of, the documents, many others remain puzzled from our questions. What we expect is the focus of this article.

Why we ask for SP? Security is, like many others, a complex task; every such task normally requires a plan in order to be efficient. The plan is the SP. If you don’t have – or have incomplete – policies, we expect no clear structure of the IT infrastructure and consequently of their security. If you have a SP, you have at least been confronted with many aspects of the security, like governance, asset management, monitoring and response, etc.; you probably have at least spotted the problems, and worked or are working on possible solutions and mitigations. If you have gone through all these steps, your company has probably at least an acceptable security posture.

Additionally, to maintain compliance, every security framework requires a form of written information security policy, for example:

If you do business with others, it is usual that the counterpart requests you to provide your SP as part of a vendor assessment. Please note that the SP should be your priority because it is primarly for your own protection, since you achieve a better legal protection. As example, in case of a data incidents, if you have specified how data should be classified and how sould be manipulated, there is little room for disputes.

What is in a Security Policy

The SP is a plan for how you will implement security in your organization, considering principles and technologies. It must be high level, specifying that something must happen but not how it will happen (technology and vendor independency), for that you need detailed specifications.

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. (ISO27002 5.1.1)

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. (ISO27002 5.1.1)

During our review, we check that each document of the SP satisfies at least following criteria:

Regarding the number and scope of the documents, as specified in many standards, we expects at least:

Each policy should be:

If you look for a good template repository, check SANS Information Security Policy Templates.

Summary

For a small or medium-sized company, without specialized resources dedicated to the topic of IT security, the request for a security policy can be a puzzle that they try to solve by showing configurations, checklists and network schemes. This is not what we expect during our reviews. Security Policies are a set of high-level documents that indicate to a user, without specifying in technical detail, how to behave in the various situations in which an IT system is used. It is a set of documents with reasonable recommendations that can be used by every employee of the company.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in network routing, firewalling and log management.

Links

General Data Protection Regulation GDPR is a Challenge?

Our experts will get in contact with you!

×
SQLite forensic's notes

SQLite forensic's notes

Rocco Gagliardi

Microsoft365DSC

Microsoft365DSC

Rocco Gagliardi

Office 365 Teams Security

Office 365 Teams Security

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here