Information Security Policy Development
It is almost impossible to pick up any magazine article or brochure about information security these days without seeing countless references to the corporate security policy. Everybody agrees that the policy is the cornerstone of any organisation’s approach to security and the most fundamental piece of the security armoury. Yet research shows that the majority of organisations do not have a written security policy.
Many clients find that the media is telling them that they should have a policy and yet nobody is saying what that policy should look like or deal with. In many cases security product vendors have muddied the waters by hijacking the term and attempting to associate it with their offerings, often claiming that they are “policy engines” or “policy enforcement tools”. The fact is that a policy document is the company’s “35,000 foot view” of how they will approach every aspect of security for the entire organisation, most products only address a narrow view of the overall security picture. In many cases we find that IT and Security Managers want to produce a policy but become bogged down in the detail required. What should be a valuable exercise becomes a time-consuming project. This is where our consultants help. Our information security team, are experienced policy authors.
As outsiders Secure Networks have a clear view and can “see the wood from the trees,” enabling us to bring such a project to a timely close without becoming entangled in the day-to-day issues which can otherwise stall the process. Through a detailed interview process involving the management team, we can tease out the important issues and assemble only what is required.
Policies, Procedures & Standards
Many security policies become unwieldy because they attempt to include specific procedures or standards within the main document. We advise against this and recommend that a policy should only include the high-level statements of what is required and what is forbidden. This leads to a document that can be read by all and, once the policy is in place, will point the way to areas where specific procedures or technical definition of countermeasures are required. Relevant departments can then be provided with the Standards and Procedures that apply to them.
Most staff need to be aware of whether or not their e-mail has been screened for viruses before it is delivered to their desktop (policy), yet they do not need or want to know exactly what anti-virus product is used (standard) or how and when the virus pattern files are updated (procedure).
Ground Rules
An organisation which has not established ground rules through the development of a Security Policy may have difficulty making or defending a legal action in the future. When Norwich Union were challenged by a competitor over alleged defamatory e-mail, they found that they could not comply with the court’s instructions to produce all e-mails which had originated from their systems concerning the competitor in question. This quickly led to a six-figure out-of-court settlement. Had the company maintained a policy of destroying all sent e-mail after a short period – they could have reasonably argued that it was impossible for them to meet the requirement!
Legal Compliance and BS7799
The 1998 Data Protection Act mandates that all companies holding personal or sensitive personal data must take adequate steps to ensure the security of that data. In the case of a complaint from any party the Data Protection Commissioner may investigate and request proof that appropriate security is in place and being maintained. A well-thought-out security policy is the clearest evidence that data is being handled responsibly, but the lack of such a policy could well be construed as evidence of a lack of commitment to security. Many companies are considering the adoption of British Standard 7799, the standard for information security. Before any serious consideration can be given to accreditation, the company must have established a detailed appraisal of its security stance. In effect if there is no security policy and hence no pegs-in-the-ground, then accreditation becomes a pipe dream.
All policies are designed to conform to all relevant legal requirements including the Data Protection Act (DPA), Regulation of Investigatory Powers Act 2000 (RIPA) and the Human Right Act 1998.