The first step in any project to prepare a security policy document is to determine what elements to include in your policy. Be sure to consider all the key elements your IT staff manages. I recommend you cover each of the areas listed below in a section within your document. I have room here to cover just the basics, but I hope to explore each topic in greater depth in the upcoming months.
Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies. Ms. Taylor has 17 years of experience in IT operations with a focus in information security. She has worked as Director of Information Security at Navisite and as CIO of Schafer Corp., a weapons development contractor for the Department of Defense. The seven elements are:
- Security accountability: Stipulate the security roles and responsibilities of general users, key staff, and management. Creating accountability in these three employee categories helps your organization understand and manage expectations and provides a foundation for enforcing all other ancillary policies and procedures. This section should also define various classes of data, such as internal, external, general, and confidential. By classifying the data, you can then make stipulations as to what types of employees are responsible for, and allowed to modify or distribute, particular classes of data. For example, you can send out memos that say, "No confidential data may be circulated outside the company without management sign-off."
- Network service policies: Generate policies for secure remote access, IP address management and configuration, router and switch security procedures, and access list (ACL) stipulations. Indicate which key staff need to review which change procedures before they are implemented. For example, your security team should review all proposed ACL changes before your network administrators implement the changes. Define your remote network access policies and your network intrusion detection systems in this section.
- System policies: Define the host security configuration for all mission-critical operating systems and servers. Include which services should be running on which networks, account management policies, password management policies, messaging, database, anti-virus, host-based intrusion detection, and firewall policies.
- Physical security: Define how buildings and card-key readers should be secured, where internal cameras should be installed, how visitors should be handled, and what inventory rules and regulations your shipping and receiving folks should follow. Though this might seem a bit afield of a discussion of IT security, remember that no organization is secure from attack unless it's physically secure too.
- Incident handling and response: Specify what procedures to follow in the event of a security breach or incident. Include policies such as how to evaluate a security incident, how the incident should be reported, how the problem should be eradicated, and what key personnel your organization should engage in the process.
- Behavior and acceptable use policies: Stipulate what type of behavior is expected of employees and your management team, and what forms and documents need to be read, reviewed, filled out, and followed. Employees should be required to read and
sign the acceptable use policy so that management has the option to take disciplinary action in the event that the policy is violated.
- Security training: Define a security training plan for key staff who manage day-to-day security operations in order to sustain your security policy and keep your security staff current with the latest techniques.
Once you've established policies that suit your organization, you should draft procedures that outline how to comply with the policies. Define how you secure operating systems, what files to edit and configure, what ports should be open and closed on the firewall, how databases should be secured, and what updates need to be applied on what timeframe. Include what jobs should be run and when.
Don't be surprised if your information security policy document runs 25 pages or more. Large companies often have information security policies that are 100 or more pages in length.
You should review your information security policy at least twice a year, and update either as your network changes or, at the very least, on a quarterly basis.