How to write your company’s IT security policy

IT-Toolkits_Strategy_4If my consultancy conversations usually start with “so, you think your business is secure?”, they invariably end with a response of “so, what can we do about it then?”. This is where I really confuse them by not immediately talking about solutions and software, but instead about best practices, education and policy.

Formal information-security policies are often seen as the sole territory of larger enterprises, but this couldn’t be further from the truth. Every business – no matter how small – can benefit from implementing such a policy. The benefit runs much deeper than merely having a formal document: it really comes from the process of thinking about what data security means to your business, and creating a written, structured response to those needs. This process of thinking about security – and I mean really thinking about it, from top to bottom – is always an eye-opener for the team involved.

Every business – no matter how small – can benefit from implementing such a policy

Even for those businesses at the smallest end of the SME scale, which are often only one bloke and his dog, this will be a team process. I’d never consider taking on a policy-creation job all by myself. This may not raise your opinion of how consultants work, but the bare truth is that unless policy creation involves those working at the coalface of the business, it’s totally pointless. The reason I can make such a sweeping statement can be best explained by making you understand what actually constitutes a security policy.

Strip it right back to its basics, and an information-security policy can be defined as a commitment to protect all the data that a firm creates and uses. Start fleshing out this simple definition, and the all-encompassing desire for data defence becomes your guide to exactly how the levels of required protection can be both achieved and maintained.

Leaving this to a third party – or even delegating responsibility on a departmental basis – is security suicide: your IT bods (assuming you have such a luxury) may produce a technical draft, which is given a jargon-vacuuming by the personnel department, before finally being rendered totally incomprehensible by the legal department. A sustainable and effective security policy has to be written from the ground up, with input from the top down.

Depending upon the size of your organisation, this could mean the sole proprietor meets with an outside consultant, or the board of directors works with the IT department, personnel, legal and the shop floor. The main point is that everyone must be represented, so your entire business is included; and that all foreseeable risks to the company’s data are mitigated as far as possible as a result.

Practical policy

One of the problems when talking about a security policy lies in ensuring that The Powers That Be truly understand that it should be – indeed must be – something practical and useful at a business level. This is especially true for small businesses, where information security is often regarded as an inconvenient interference with day-to-day work, rather than an integral part of the business process. An information-security policy – as with an acceptable-use policy or even a contract of employment – is useless if it’s merely signed and consigned to a filing cabinet until after a breach has occurred.

I’ve heard IT security consultants talk about a policy document as being a “living, breathing, part of the business”. Frankly, this is a step too far for me and most of the folk I work with. I prefer to think of it as a written information-security programme (WISP). In other words, it isn’t a bunch of boring files, but a collection of policy documents, along with the steps that need to be taken in order to enforce the policies they contain.

Some state governments in the US have even gone so far as to include this WISP requirement within their information-security legislation: Massachusetts, for example, requires every person who “owns or licenses personal information” to “develop, implement, and maintain a comprehensive information-security programme that is written in one or more readily accessible parts”, and which contains administrative, technical and physical safeguards.

I’ve started using this WISP definition as my take-off point when talking to a business about building a meaningful policy. I place that “readily accessible parts” phrase at front and centre of any initial policy-creation meetings. It’s crucial that everyone understands that “readily accessible” means accessible to all employees; this in turn means that suitable training and educational courses are available to them all.

If this is starting to sound expensive, then you’re missing the point. Of course there’s a cost attached to creating a policy, in terms of consultancy time as well as implementation. However, that cost must be balanced against the risk of not having a policy – which is likely to result in a broader “attack surface” – and to the expenses to the business when the inevitable breach occurs.

Mere mention of the T word (training) usually elicits groans from whoever has control of the security budget. However, as far as information policy is concerned, this can be as simple as sitting with an employee in a room for an hour and explaining how the policy applies to their particular role, and answering any questions they may have as a result. It doesn’t have to mean dragging in a third-party company. In my experience, training sessions that are conducted in-house by work colleagues have vastly greater benefits when it comes to security policy.

You should always include a section detailing your incident-response strategy

I know you’re probably hoping that I’m about to provide you with the magic ingredients for a one-size-fits-all information-security policy, a kind of WISP template for every business. Prepare to be disappointed, dear reader, since I can’t do this – for reasons that are so obvious I’m not going to waste my time typing them up. However, what I can do is point you in the right direction and give you some food for thought.

Think in terms of allocating accountability, and understanding the roles and responsibilities of staff within categories of management, “key staff” and everyone else. Creating formal accountability and defining these roles helps to focus attention on the classes and value of data within the business, and also to manage expectations about who is to do what and when.

Once you know what data you have and what value it has to your organisation, and you’ve defined specific security responsibilities among your staff, it’s relatively easy to start determining in a real-world way who should be allowed to access, modify and distribute that data. Equally important are the particular policies you apply to network services, including cloud provision and remote access (including BYOD), as well as the more mundane internal network provisioning. Don’t forget the system basics as far as mission-critical OS and server configurations are concerned, which should include account and password management along with your intrusion-
detection processes.

Then there’s the small matter of how you handle things if the worst does happen: you should always include a section detailing your incident-response strategy. This needs to be a hands-on and step-by-step description of how to delegate responsibilities, and must specify the procedures to follow if a breach occurs: everything should be given thought, from locking down systems and evaluating damage upon discovery of a breach, to post-breach notifications and forensic. Oh, and the need for training and education needs to be explicitly spelled out within your policy document, along with what’s expected of all staff from top to bottom in terms of acceptable and unacceptable behaviours.

Physical security

Remember to account for physical security within your policy documents: it’s easy to overlook, which is probably why it’s so often missed out of information-security policies (doh!). You know, stuff such as who has access to your office, your servers, your laptop, your smartphone, your USB thumbdrives and the rest, and how you physically secure these things. Finally, don’t get caught up in the kind of self-examination that leads many people to start asking whether this is a policy, a guide or a standard. If you’ve truly understood the concept of WISP that I spoke about earlier, then you should appreciate that in effect it’s all three.

That’s about as far as I can go, other than to say that the best advice I can offer the small-business owner on effective policy creation is that knowing what you don’t know is just as important (if not more) than knowing what you do know. Computers and the internet didn’t exist when Sun Tzu, author of The Art of War, was living around 2,500 years ago, but some of his principles still apply to today’s information battlefield: “If you know the enemy and you know yourself, your victory will not stand in doubt.”

A good starting point in knowing yourself, or rather the effectiveness of your security strategy, is to take the quick online AVG Small Business IT Security Health Check. It’s free of charge and takes only a few minutes to complete. I’m not recommending AVG or otherwise here, but this questionnaire is hugely useful in provoking the kind of holistic thinking you need to truly understand the data-security landscape of your business.