Security Policy Overview

A business that expects to have more than a few employees must have security policies in place. Any business with 20 or more employees that does not have at least a minimum security policy covering several key areas is asking for problems at some point. Remember the now well accepted stat that half of small businesses fail within six months of a cyber-attack.

Consider the rapid pace that technology evolves to meet the needs of businesses. When it comes to technology, change is the one constant and the way a business uses technology is constantly evolving and changing. Businesses need to take control of the way employees, contractors, customers and clients handle their intellectual property and records.

Assessing Risk

At Worldwide Privacy, we believe that in nearly all aspects of information security a business must assess and rate risk to determine what steps, actions and measures must be implemented and to what level. Without an understanding of the risk a business faces one cannot properly determine where to begin and what to focus on. To avoid wasting time and effort protecting areas that are lower risk while leaving unprotected those areas that are higher risk, a business owner must catalog and rate all perceived risks to their business.

Risk assessments should include looking at technical and non-technical aspects, processes and procedures. However, any business with a small network of 15 or more PCs should consider evaluating and testing the network and any systems or applications used to run the business or produce services. Under such an evaluation it may be discovered that PCs are not being kept up to date or that software or systems are outdated and in need of security patching. Not keeping technology current can pose an existential threat to a business, making it vulnerable to all forms of malware that is constantly being created to hack into your data to steal identities and intellectual property and after a breach, the company’s reputation may be irreparably damaged.

Risks cannot be entirely eliminated. There will always be “residual risk”. The key is to get the residual risk down to a level that is below the risk appetite or tolerance of a business. To take this to the extreme, we’ve all seen funny cartoons about security showing the shutdown of all computers to make everyone safe. The trouble with that of course is that while cybercriminals are thwarted, so are your employees and customers. We need to strike a balance that allows the business to operate efficiently and at the same time protects it at the right level.

Policy Development

Once risk has been analyzed, a business can begin deciding on the policies required and the level to which the policies must apply, a business is compelled to examine all ways that it uses / handles data of all types. This is a key analysis that should result in defining how to keep its digital and other data safe from the constant barrage of attack by organized criminals also known as cyber-criminals and hackers.

Security policies make it clear to everyone in the company what is considered important to protect and what the behavioral rules are around all types of data in all formats:

Paper records including invoices, reports and financial records
Digital data on PC disk drives, in “the cloud”, on USB drives and elsewhere
Data about your customers and clients
Data about your company – sometimes referred to as intellectual property

There are several reasons to implement and make sure employees understand and agree to security policies.

Employees need to be trained on the basics of how to protect company and customer data at all times. Security policies provide the beginning of that training and make it clear what is expected and what behaviors are not allowed when it comes to handling company information
Businesses must protect themselves from an employee not doing the right thing accidentally or on purpose by making sure that the policies are written, read and accepted by every employee every year.
As a business grows it will begin to come under the scrutiny of external audits meant to test whether information security is being addressed at appropriate levels. For example something as simple as obtaining some forms of insurance can require a business owner to answer questions about information security and one of the first questions typically looks for having a “security awareness plan” in place, the first leg of which is to have correctly written and accepted information security policies. Without them insurance rates at best will go up and at worst, insurance companies will not take on your risk.

What are some of the basic items that should be covered? Here are a few examples (not an exhaustive list by any means). While some of these may seem like common sense, realize that while it is common sense to not steal, we still have laws written to ensure that if someone steals, they are held accountable. Employees should understand and agree:

Every employee has a responsibility to protect customer identities and other personal data.
Every employee has a responsibility to protect company secrets, competitive advantages and other intellectual property including recipes, process and procedure, sales methodology, new ideas, information technology such as computer programs, etc.
There are appropriate uses of company property like a personal computer (PC). Where there is room for flexibility, company property use should be only allowed at a level within the company’s risk appetite. For example a company PC is a business tool, but many employees see a PC as their own “personal” device, bristling at the thought of monitoring programs being installed or anti-virus programs that use resources on the PC. Employees should agree that the PC is company property and while a company may allow the employee to visit Amazon.com to purchase personal items, there are many activities that will be considered forbidden, for example using the PC to take part in online gambling.
Employees should understand the minimum password rules that are required for all company accounts as well as to unlock a PC or other electronic device.
Depending on the type of business a policy requiring that documents be appropriately stored when the employee is finished working may be necessary. This includes working from home which may be an even greater risk in terms of information being left out that if revealed to the wrong person could damage the company’s reputation. This is called a clean desk policy.
Many companies now have a “Social Media & Open Forums” policy. These are meant to ensure that comments made by employees on social media platforms are separate from comments made by the company or on the company’s behalf. No employee should be allowed to post a comment that represents the company without proper permission.

Handling Objections

When implementing security policy it is important to “rightsize” the policy to the business culture. Going from no policy at all where employees do not have security top of mind to an all encompassing set of policies that require employees to behave along very strict guidelines as is they were working in a highly secretive government agency will undoubtedly lead to at the very least push-back and large scale non-compliance and at worst employees leaving the company for easier pastures.

Small family owned businesses tend to be more trusting of their employees, with the business owners directly involved in most of the hiring and therefore believing that their hires are mature responsible adults that can “do the right thing”. While probably true, there is always going to be an occasional bad hire and as a company grows and the hiring duties get pushed down to senior managers that will happen more often.

When deciding what policies are necessary and how strict to make and enforce them, company culture should be taken into account. As a company grows its culture will change almost in parallel with the risk appetite of the business changing. Risk appetite is one way of describing the risk tolerance a business has which over time changes. In the very beginning a company working hand-to-mouth has all it can do to satisfy its’ few clients and keep the lights on. But as growth continues and revenues increase there gradually becomes more to lose if the company experiences a security incident that causes reputational damage. As risk appetite decreases, the need for tighter security policy documentation and training increases.

A good information security professional will typically ask employees to comment on the written policies for several reasons. First, it allows the security officer the chance to have a dialog with employees where they can gain an understanding of how the policies are understood and accepted. Next, it will help to find ambiguities and anomalies that employees will point out that may get in the way of doing their job. Remember that rightsizing is important and part of that process includes ensuring that the security policy mandates are not causing large impediments to getting work done.

Enforcement – Tone at the Top

Without defined consequences experience has shown that there will be many who simply ignore the policies and ignore requests or mandates to read and agree to the policies. One of the written policies should clearly define the consequences for ignoring or otherwise disobeying the policies up to and including termination of employment. Depending on employment law in your state this policy could also avoid employment law suits for wrongful termination provided there is proof that an employee willfully disobeyed or ignored security policy.

The main requirement to go along with a policy clearly defining consequence is the backing of the chief executive, the executive committee or board of directors. This is sometimes called “Tone at the Top” and means that the executive can set the “tome” so that all employees know that the highest executives in the company support the policies including the consequences of avoiding them. Without solid support from executive levels, security officers or IT directors will have trouble just getting employees to read and acknowledge having read and agreeing to the policies. Some employees will just decide they are too busy and don’t have time to spend on reading the policies.

Policy Types

There are different types of security policies required for most businesses. Thus far we have been describing policies that apply to general employees. There are also policies that should be written and implemented for specific employee roles or types.

For example, those in finance may have a policy written specifically for their role because of the privileged access they have to financial data. Software engineers, DevOps, technical operations and other technical roles will also typically have one or more policies written and implemented specific to their job types. This is to ensure that those in these roles realize that the company understands their job function and the specific policy needed to protect customer and company assets, and to not expose general employees that do not have a need to know these special roles and policies to read details and potentially become overwhelmed. Where there is not a “need to know”, employees should be shielded from unnecessary policy documentation.

A security policy contains pre-approved organizational procedures that tell you exactly what you need to do in order to prevent security problems and next steps if you are ever faced with a data breach.

Creating Good Security Policies

Anywhere information security is discussed or written about there is usually a place where a refocusing is done to remind the reader of what information security at its core is all about. When discussing security policy it makes sense to do this, because the policies when put into place with the proper enforcement techniques and support from executive management will address what is known as the “CIA triad”, and specifically what each part of the triad will be protected from with good security policy in place:

Confidentiality – Keeping information from being obtained by the wrong people or being used inappropriately by those who have authorization to access it.
Data Integrity – Data has a lifecycle. It is created, maintained and often (but not always) eventually becomes obsolete and is deleted. To have integrity, data must be reliable and be able to be trusted. Making a business decision using bad data that is trusted can be worse than making a business decision with no data at all. This requires policies around error checking, validation, and other methods for ensuring data integrity and that data is not erroneously validated either accidentally or deliberately.
Availability – This refers to making sure that data is available when it is expected to be. This includes making data available more widely than is expected, for example for longer periods or to a larger audience than is required.

There are countless examples of free security policies to be found on the internet, so there is no need to write these from scratch. However as good as a policy template may be it is only good for your business if it is customized to the company culture, risk determination and risk appetite. There is no one size fits all security policy.

A good policy is not unlike any other good piece of documentation required by a business, with some specifics about security. A good security policy will have the following components:

Overview and Purpose: What is the general theme? Why is this policy necessary? What are the expectations or desired outcomes from having implemented the policy? If employees understand these reasons they are more likely to adopt them without pushback.
Policy Statement – What is the policy? Example – “Use of email by Company email users is permitted and encouraged where such use supports the goals and objectives of the business. All use of email must be consistent with policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. All Company email accounts should be used primarily for business related purposes…”
Scope – Who does this apply to? What assets does this apply to? What are the boundaries of the policy?
Author or Authority – Who wrote the policy and where should the reader go with questions, issues and / or objections?
Last Updated – There should be a table at the bottom of every policy with a last updated log that includes the date of update, who updated and at a high level what updates were applied or what was changed. Policies should be reviewed formally at least yearly by the organization in charge of information security.
Compliance Mandates: If this policy is required by federal or state regulations they should be listed. For example, recently many policies were updated and created to address the EU’s new General Data Protection Regulation (GDPR).

Summary

Most businesses need security policies. Without them, businesses leave themselves vulnerable to inconsistent employee behavior and data handling that can cause business disruption, loss of services and loss of reputation.

The policies a business needs should be based on understanding what risks exist that may affect the business in a negative way.

Employees need to be trained on policies. That can be at minimum reading and agreeing to abide by them and having the policies presented to them by the security officer during hiring on-boarding.

There must be consequences to not following policy and support for the entire program must be communicated from executive management.

Policies should be written for specific audiences. For example, don’t make HR employees read and abide by the policy mandating that Linux servers be scanned for vulnerabilities and patched regularly.

Once implemented, policies should be updated regularly but at least annually. Employees should acknowledge reading and agreement to abide by all policies that apply to them annually.

Security polices are but one aspect of an entire security awareness program. Other aspects include security training, regular security informational updates, on-boarding security policy presentation, phishing and vishing testing, etc.