During our review, we request a set of IT Security Policies (SP) for compliancy analysis. Although many of our customers have, at least a part of, the documents, many others remain puzzled from our questions. What we expect is the focus of this article.

Why we ask for SP? Security is, like many others, a complex task; every such task normally requires a plan in order to be efficient. The plan is the SP. If you don’t have – or have incomplete – policies, we expect no clear structure of the IT infrastructure and consequently of their security. If you have a SP, you have at least been confronted with many aspects of the security, like governance, asset management, monitoring and response, etc.; you probably have at least spotted the problems, and worked or are working on possible solutions and mitigations. If you have gone through all these steps, your company has probably at least an acceptable security posture.

Additionally, to maintain compliance, every security framework requires a form of written information security policy, for example:

• NIST CSF (ID.GV-1)
• ISO 27002 (5.1.1)
• NIST 800-53r4 (PM-1)
• PCI DSS (12.1)
• GDPR (Art. 5,25,32)

If you do business with others, it is usual that the counterpart requests you to provide your SP as part of a vendor assessment. Please note that the SP should be your priority because it is primarly for your own protection, since you achieve a better legal protection. As example, in case of a data incidents, if you have specified how data should be classified and how sould be manipulated, there is little room for disputes.

What is in a Security Policy

The SP is a plan for how you will implement security in your organization, considering principles and technologies. It must be high level, specifying that something must happen but not how it will happen (technology and vendor independency), for that you need detailed specifications.

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. (ISO27002 5.1.1)

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. (ISO27002 5.1.1)

During our review, we check that each document of the SP satisfies at least following criteria:

• Has an overview of what is addressed
• Has a clear defined target audience
• Has a clear stated purpose, explaining why the SP is required
• Has a clear stated scope, explaining exactly what is in scope and what not
• Has policies
• Defines without ambiguity the terms used
• Has a version, an author, a list of revisers, a validity period

Regarding the number and scope of the documents, as specified in many standards, we expects at least:

• Data Classification Policy: A set of rules to classify information based at least on confidentiality, integrity, and availability.
• Data Manipulation Policy: A set of rules defining how to receive, store, and transmit information.
• Acceptable User Policy: A set of rules that restrict the ways in which the system is used and describe how to use it.
• Authentication Policy: A set of rules defining how the authentication process must work.
• Backup Policy: The organization’s requirements for backup of information, software and systems. The policy should define the retention times and the protection measures required.
• Incident Response Policy: A plan outlying organization’s response to an information security incident, identifying team, roles, main processes, tools.
• Network Access Policy, and optionally Remote Access Policy, VPN Policy, Wireless Access Policy, Third Party Connection Policy.
• Network Security Policy: A set of rules to implement security controls, without specifying technologies, and high-level directives on acceptable and unacceptable actions to protect critical assets.
• Guest Access Policy: The policy covers at least acceptable user policy acceptance, account use, security of guest machines, guest infrastructure requirements.
• Password Policy: A set of rules to force user to use more secure passwords.

Each policy should be:

• Written in “plain language”: The policy is not for specialist. These documents, not containing specific technical details for a product, but general guidelines of behavior and must be potentially read by every employee.
• Minimized to the absolutely necessary length: Well-written policies are less than 10 pages long, including the index. Policies lengthen if several topics are mixed; therefore it is good to review them constantly and dedicate a specific document to each topic. A good set of high-level policies consists of around twenty specific documents.
• The policy must be reasonable, it should improve the company’s security: Reasonable means taking into account the reality of users with different technical skills, budgets, increasingly complex technologies and a job that needs to be done. In an ideal world, security would be total and transparent to the end user; in the real world, it must be decided where it is necessary to irritate the user in order to obtain an acceptable level of security to minimize the risks.
• The policy must be enforceable: It should clearly state what is permitted and what is a violation.
• The policy must be reviewed at regular intervals: New technologies and new risks can have an influence on security policies, so a five-year review of policies is a normal practice.

If you look for a good template repository, check SANS Information Security Policy Templates.

Summary

For a small or medium-sized company, without specialized resources dedicated to the topic of IT security, the request for a security policy can be a puzzle that they try to solve by showing configurations, checklists and network schemes. This is not what we expect during our reviews. Security Policies are a set of high-level documents that indicate to a user, without specifying in technical detail, how to behave in the various situations in which an IT system is used. It is a set of documents with reasonable recommendations that can be used by every employee of the company.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://www.sans.org/security-resources/policies