‘Security policies’ are yet another aspect of Information security that is all around us – but we are hardly aware of it. We will see the meaning of security policy, the reasons for having security policies and some examples of security policies in this post.
A security policy in a nut shell is a document that lays out in detail how an organization is planning to safeguard its business and technological assets.
It is one which is framed by the management of an organization keeping in mind the type of the organization. A small business involving 10-15 employees will need a limited security policy. On the other hand, if a big organization with 1000 employees or more is involved, a mightier and tighter security policy may be needed. This policy needs to be strictly enforced as well. Examples of security policies may be email policy, remote access policy, Internet policy, wireless communication policy and so on.
Let us look at some examples of real world policies:
- Library policy – all books might have a due date and the library policy might state that the book has to be renewed by that date(or pay a fine or extend it by another period of time)
- Email policy – This policy might state that corporate email accounts might not be used for personal purposes
Reasons for having security policies:
The reasons for creating security policies are stated below:
- Security policies help to protect the assets of an organization(without a ‘remote access policy’, corporate data might be leaked!)
- It helps to bolster the security team’s responsibilities
- In case there is any misunderstanding, the security policy serves as a reference
It is therefore an absolute necessity to create a security policy for an organization and enforce it as well.
Types of policies:
A policy can be divided into organizational policy, issue specific policy and system specific policy.
An organizational policy is laid out by the organization keeping in mind the business objectives of the company. It assigns the responsibilities to the various employees. The language of the policy is expected to be simple and easy to follow but strict.
An issue specific policy deals with certain issues like email or mobile devices. An email policy as stated earlier might request all employees not to use it for personal use.
A system specific policy relates to system related objects like networks, applications etc. As an example system specific policies are related to firewalls, VPNs or IDS/IPS.
The unenforceable policy is one thing that has to be clearly avoided when working with policies. An unenforceable policy is one that is created “just for the purpose of creating it” but it cannot be enforced at all. There is also the possibility that it might have been created a long time back too.
It is not followed by anybody in an organization and sometimes one might not even know it exists. An example might be stating “no personal use of office computers”. But is this really feasible in today’s work environment? With the increase in use of laptops, mobile devices and multiple ways to access the work space – this policy is not effective and cannot be enforced as well. It is better to tweak it and say “limited time to personal work during office hours”.
Example of a security policy:
The above picture shows a sample ‘password policy’ for a client organization.
Rules for creating a security policy:
These are some rules for creating a security policy:
- Identify the risks within the organization
- It is necessary to communicate this to the top level management
- Frame the policies or update the policies keeping in touch with the current security status. Many security policy templates relating to email, mobile devices, Internet security are available at “http://www.sans.org/security-resources/policies/”
- Make sure all members of an organization comply with it
- Arrange for a security awareness training campaign(Stephen Northcutt)
The security policy thus has to be created keeping in mind the business goals of the organization, the size of the organization and the type of the organization. The security policy has to be written clearly with a foresight. It should be able withstand the test of time, and if does not, it has to immediately be revamped. A security policy when correctly created and enforced will secure all end points of a network perimeter.
Harris, S. All in one CISSP. In S. Harris.
Stephen Northcutt, L. Z. Inside Network Permieter Security.