When we talk to clients as part of an IT audit we often find that policies are a concern, either the policies are out of date or just not in place at all. This often stems from the fact that no-one has been assigned to a permanent security role. It’s left for IT to do when they have time. Of course IT never has time for security and compliance because they are rolling out new and fixing last week’s technology.
In the following series we will cover 10 critical IT policies at a high level for the purpose of understanding their purpose as a foundation for data governance. The following are not complete policies, but summaries that can serve as a general framework for training purposes.
It all starts with Governance, so let’s first consider the FFIEC cyber security maturity model for governance. Notice below how that as we move from Baseline towards Advanced that the statements are more detailed and proactive vs universal or vague. IE: Baseline: Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. Advanced: The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement.
IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. ... The IT Governance Institute (ITGI)
So now that we have our starting point - governance - we can now proceed with a minimum set of 10 IT policies. Your organization may need many more. We will cover five in this article and the remaining five in Part 2 of this series.
I know policies are not exciting and not many people like to write them but they are a necessary foundation for systems security management. Policies don’t have to be long or too wordy; If you have too many or they are too complicated they will probably just be ignored. Regarding policies we often state “say what you do, and do what you say”, that way no one will ever use them against you. Don’t just implement a generic template unless you are very diligent in making it yours, each enterprise or small business is often unique and as such policies must match the culture, technology, compliance standard and business priorities! IE: Risk appetite in a DoD environment, vs a car dealership is very different. Here are the IT policies that should be covered:
- AUP (Acceptable Use Policy)
- Security Awareness
- Information Security
- Change Management
- Incident Response
- Remote Access
- Vendor Access
- Media destruction, Retention & Backups
1 AUP (Acceptable Use Policy)
Purpose: To inform all users on the acceptable use of technology.
The AUP sets the stage for all employees to assure that they know the rules of the road. In this policy we cover defining corporate resources: The company’s computer network, host computers, file servers, application servers, communication servers, and mail servers, fax servers, etc. Also remember to consult your legal department when writing and releasing policies that impact the corporation. Your legal department may even have a standard AUP that you can use. The following are important areas to cover in an AUP.
- Use of Computer Resources
- No expectation of privacy
- Legitimate business purpose
- Responsibility for passwords
- Standard footers for e-mail
- Communication of trade secrets
- Duty not to waste computer resources
- Illegal copying
- Inappropriate or unlawful material
- Altering attribution information
- Accessing other user’s files
- Accessing other computers and networks
- Computer security
- Use of encryption software
- Monitoring of Computer Resources
- Remote Access
- Personal equipment
- No maintenance, modification or addition
2 Security awareness
Purpose: To consistently inform all users regarding the impact their actions have on security and privacy.
Introduction: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing relevant security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some actions that can be taken to reduce the risk and drive down the cost of security incidents.
We would then start naming specific bullet points that we want to include. For example:
- A monthly security awareness newsletter will be sent to all employees, covering the latest threats, including ransomware attacks and social engineering.
- Online or in person security awareness training will be put in place and monitored to assure all employees participate.
- Continue with relevant bullet points. This is where we cover all the typical scenarios that we are likely to encounter and it’s a long list to say the least. Remember to keep it high level in a policy, save those specific server name details, etc. for the procedures that fall under a given policy.
3 Information security
Purpose: To lay the foundation for the enterprise data risk management program; People, process and technology.
General: The information security policy might look something like this. Its purpose is to define the management, personnel and technology structure of the program. The most important part of this policy is “Who is the single point of contact responsible for information security” Is it an IT manager, or a security analyst, or do you need to appoint someone?
A. Role of Information and Information Systems
C. Environment and Scope
D. Organization and Employee Roles and Responsibilities
- System Access Control
- Information Access
- User-IDs and Passwords
- User-ID Issuance for Access to corporate Information
- Anonymous User-IDs
- Password Policy
Continue with relevant bullet points. Add social engineering, Phishing, Spear phishing, advanced persistent threats, SPAM, and so on.
Purpose: To assure that the business has DR/BCP plans that are accurate and tested.
A DR/BCP plan helps manage real-time risk. It includes everything from responding to denial-of-service attacks, floods, fires, hurricanes or any other potential disruption of service. Business continuity seeks to keep the business running no matter what and thus includes redundant systems and personnel plans to assure the business stays up and running.
Disaster recovery as the name implies is used as a plan to recover from events like floods, fires or hurricanes that caused an interruption in service, IE: You lost business continuity. DR/BCP plans must always involve the business units when creating, planning or testing. Each critical department or business function must know their role in the recovery strategy. IE: Is work from home included? In the case of a major hurricane, have you considered that personnel have families that may need assistance on the home front before the employee can do their part for the enterprise? IE: In a life threatening situation like a hurricane, families must take care of their families before they can take care of their company.
Recovery strategy summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan introduction section. The following list comes from Sungard.
- Recovery tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section.
- Recovery personnel: Typically, a DR/BCP plan will also identify the specific people involved in the business continuity efforts.
- Plan timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart).
- Critical vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.
- Critical equipment/resource requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.
5 Change management
Purpose: to assure that changes are managed, approved and tracked.
Finally let’s look at change management, all too often things are moving very fast in any corporate IT department. Systems and software are being updated, modified or replaced for a number of reasons. Without change management a firewall may be updated and suddenly stop business traffic from flowing or perhaps cause unexpected data loss or data leaks by not being restrictive enough. Unexpected things often happen when we go to make a change or update.
Change management forces us to slow down and make a plan, assure that we completely understand the change and its potential impacts to other corporate systems and data. Change management also puts a back-out plan in place in case the change goes bad or has unintended consequences. Change management helps assure that business impact is completely understood and approved by leadership before any changes are made.
Scope: The scope of this policy includes all personnel, including external vendors, who have access to or are responsible for defining, planning or designing the software for the production systems for any and all systems located at the Company XYZ facility.
Policy: Notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.
- A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
- A Change Management Log must be maintained for all changes. All Company XYZ information systems must comply with an information systems change management process that meets the standards outlined above.
System architecture and controls policy
- Management will identify and review network infrastructure access points and associated risks and vulnerabilities.
- The network topology will be maintained and will describe, at a minimum, the connection points, services, and hardware components to include connections (Internet, Intranet, Extranet, and Remote Dial-up), operating systems etc.
- Add additional statements that pertain to your organization
In the next blog we will review the remaining five policies every organization should have in place. Most companies that don’t have a full time security and compliance role. Good policies take a lot of time and experience to develop, know when to call a consultant or someone with the right expertise for help. Policies are the foundation for your security and compliance program so make sure they are done right the first time, you may not get a second chance.
This article was origionally published on CSOonline.com