The purpose of any information security policy is to outline the standards for processes and technical measures that are implemented in an organisation. They in-turn are derived from an organisation’s overall security strategy; this ensures that an organisation’s approach to security is uniform across the board. When writing a policy, factors need to be considered such as the size of the organisation or any standards and frameworks required.
A small organisation may only require a single information security policy that contains provisions for everything, a large corporation may require a number of different policies that satisfy multiple requirements with varying levels of detail depending on the intended audience. Whatever the size of your organisation or number of policies they should all contain the following items:
- Policy content
- Testing or review process
- Revision history
Diving into the above a little more, four of the elements are most likely quite self-explanatory but expanding on the Testing or Review Process element is valuable. Any information security policy that is developed and implemented across the organisation needs to be made real, it needs to make sense to those it impacts and are expected to understand and follow it. One way of doing this is to put in place a series of desktop exercises that test both the policy and employee. Ensuring it is made personal and relevant will increase understanding and help protect the business should a cyber-attack occur. This is something we often do when testing incident response approaches.
In terms of policy content, this is again dependent on the needs of an organisation. Some may require provisions for secure development, some may (or may not) require a policy regarding working from home. The following is a few examples of the topics that can be covered in a security policy:
- Asset Management
- Remote Working
- Access Control
- Password Management
- Change Management
- Incident Management
- Acceptable Use
- Patch Management
- Physical Security
Again let’s pick up on a couple of examples that we see as ubiquitous and also very relevant in today’s cyber security landscape.
Firstly, Password Management is something that every single organisation should have a policy for, we use these every day to access laptops, bank accounts, invoice systems, phones, supplier accounts and more. As a general rule you should not use the same password everywhere as well as ensuring you use a password manager, have multi-factor authentication in place and use passwords that do not include identifiable information about yourself. If employees aren’t doing this in their personal lives, then they are not likely to do this in work without some guidance.
Incident Management, or Incident Response Planning, often pulls in many other policies as it is the central policy and process that brings your organisation together when a cyber-attack occurs. Organisations should have an Incident Response Policy which in turn informs the creation of the Incident Response Plan. Cyber-attacks don’t only affect a business across IT and systems, they have the potential to impact your business in multiple ways, so any Incident Response Policy and related Plan should encompass other areas of your business such as HR, Legal and Finance.
These two examples highlight the intricacies that need to be explored and the need for an information security policy to be formed, so that there is a uniform approach to security across different departments and roles within an organisation.
As a business owner or someone in a leadership position you may feel the pressure of developing policies to protect your business, staff, customers and partners; this is something you don’t need to fret over or indeed do alone. We have developed a great training session specifically for Business Owners and Leaders and will be running courses throughout the rest of the year.
If you think your organisation is lacking a solid information security policy to drive your organisation’s security forward, we can help. Contact us to get started.