Before one can address what makes a good security policy, it is important to identify what a policy is and the purpose of a security policy in the first place. Embracing the goals or general beliefs of an organization, a policy is a high-level plan or statement written in a formal, concise manner. To strengthen a policy and make it more effective mandatory rules or actions known as standards are typically created to help define and describe requirements. Security threats against organizations are increasing every day including denial of service attacks, viruses, hacking and even malicious internal activity. Successful planning and implementation of security helps a company to avoid any negative repercussions from such malicious activity, or allows an organization to recover more quickly when an incident occurs. In order to effectively work towards securing an organization, a security policy is a must. This policy is essentially a plan detailing how to protect the most important aspects of a company.
There are a number of goals that should exist behind any effective security policy. Downtime should be minimized by ensuring data and processing resources are available. The confidentiality and integrity of raw customer data must be protected and risk should be compartmentalized for the organization and customers. Data processing must be protected from unauthorized use and maintained in a securely. Processed customer data must remain confidential by using controls to restrict unauthorized acces. Finally, controls must be in place to verify modification and more importantly prevent and detect unauthorized modifications of processed data.
A strong security policy is effective in many areas including minimizing risk, protecting data, setting expectations of behavior for all personnel involved, clarify and allow consequences for violation and track and ensure compliance for all applicable laws and regulations. A security policy is essential in translating security expectations held by management into specific, measurable, and testable goals and objectives. Additionally the framework provided by a security policy makes it easier for all employees to comply with security requirements. A security policy is also used to provide a general overview to employees about what is considered “acceptable use” by defining what is and is not allowed. Security policies are also useful for a company to demonstrate compliance with laws and regulations.
There are a number of aspects that good security policies share. The policy must be implementable, enforceable, clearly define responsibility and properly documented, distributed, and communicated. Implementation must be able to occur through appropriate channels; security tools and restrictions must be used for enforcement; all parties from management to administrators to users must understand their role.
In order to develop an effective security policy there are a number of steps an organization must take. Before a security policy can be created and implemented, the security principles of the organization must be outlined. These principles help to identify, create and specify the security policies that are most important to the firm. A very basic way for a firm to approach this would be to identify what is to be protected, from whom it needs to be protected, how information assets could be harmed and monitor regularly. A more complex methodology would still begin with identifying what needs to be protected followed by determining the probability of threats happening relative to the total number of threats and vulnerabilities, specify cost effective measures that will protect the assets, give this information to the appropriate parties, and finally monitor regularly.
There are a few aspects that are frequently overlooked within many security policies. These include physical security, distribution and employee training. It may seem surprising to suggest physical security may be a weak point. Thinking of physical security conjures thoughts of locked doors, keycards and complicated passwords. While these are all aspects of physical security, both physical machine security and non-malicious damage are often overlooked. Physical machine security could include not keeping machines locked down so it is possible for an intruder to steal the machine. Or worse, trash the entire cluster, if not stored in a cage. Non-malicious damage covers a wide range of accidents; an employee spilling a cup of coffee, a janitor dumping over a mop bucket, a tree crashing through a window, a fire, or worst of all disk failure. So many potential threats require not only consideration of physical machine security but redundancy. One of the most common rules of redundancy is the rule of three – main drive, local backup and offsite backup – though the more significant the data the more backups the better.
Distribution and employee training are also weak areas in many security policies. Often policies are difficult to find, or worse complicated to read. If a technical writer is writing for a technical audience, the material may be too dense or overly complicated for the layperson. Conversely something written with a general audience in mind may not be able to be specific enough. This is where training should be employed. While training is required by regulatory bodies in many industries, frequently training modules will simply describe what is required and never explain why or how. For example, it is easy to have a training module explaining that you should never click links in suspicious email; it is something else to explain how an attacker obtains information via phishing or go into detail about fake emails and webpages, to really teach.