February 8, 2018 •Jason Dell
Last week we discussed our plans in this security blog series for a simplified approach to cybersecurity. We discussed the importance of identifying and documenting your data assets—the data repositories that you have or the services that you provide that are critical to the success and growth of your business. We encouraged you to document the risks to your data assets. Then we asked you to consider the impact of compromise to your data assets.
It makes sense at this point to evaluate your current written security policy. You don’t have a written security policy? Then it’s time to create one! Focus specifically on mitigating the risks to your data assets when creating or revising your written security policy. Your choice of security products or technology may help to support your written security policy, but they should not be the sole means of enforcing your written security policy. Consider a written security policy as one of your controls to mitigate risk to your data assets.
Below is an example of a potential written security policy framework. Customize this framework to fit your particular environment.
WRITTEN SECURITY POLICY FRAMEWORK
Organize your framework so that it is easy to navigate.
Declare your purpose and intent for having a written security policy. Be sure to include the scope and intended audience. For each section, document the incident response procedures / policies, and explain the enforcement procedures. As well, list the enforcement and exception policies or each section.
1. Physical Security
List your physical assets.
- Offices
- Data centers
- Storage facilities
- Printed documents
- Electronic equipment
- Data backup media
List the risks to your physical assets.
- Fire
- Flood
- Tornado
- Theft
- Damage
- Corruption
- Power instability
List the controls to mitigate risk to physical assets.
- Office access
- Security (alarm) systems / door locks
- Access to equipment / data centers
- Locked printed document storage
- Fire suppression / control
- UPS / Surge protection
- Offsite backup media handling procedures
2. Workstation Policy
- Handling and care of issued personal computers
- General security (use an antivirus, lock unattended, password usage, patching)
- System and network activities (don’t share passwords, don’t use illegal software or do anything illegal, use common sense)
- Removable media
- Storage of personal files on company-issued personal computers or devices
- Storage of confidential information on personal computers or devices
3. Internet Acceptable Use Policy
- Acceptable/unacceptable Internet browsing and use
- Acceptable/unacceptable email use
- Acceptable/unacceptable usage of social networking
- Electronic file transfer of confidential information
4. Network Infrastructure Security Policy
- Best practices for secure configuration of routers, switches, access points, firewalls
- Access to network infrastructure equipment
- Logging of activity
5. Network Server Security Policy
- Securing (use an antivirus, lock unattended, password usage, patching)
- Backup/restore
- Access to servers
- Logging of activity
- Disabling unused services
- Network segmentation
- Internet access to/from servers
- DMZ usage
6. Mobile Device Security Policy
- (Pretty much repeat the Workstation Policy)
- Access to production wireless network (or not?)
- Wireless security standards
- Usage of public guest wireless
7. IoT Device Security Policy
- What is/is not permitted
- Access to production wireless network (or not?)
8. Remote Access Policy
- Definition of remote access
- Who is permitted (employees/venders)
- Types of permitted devices/operating systems
- Methods permitted (SLVPN, site-to-site VPN, etc)
- Remote-side controls
Now that you have a written security policy draft, you should submit it to management and human resources for approval. Of course, having a written security policy is only effective if employees read and agree to it! Technology and business practices change quickly, so you should revise your written security policy annually.
NOW WHAT?
In future blog posts, we will discuss identifying and evaluating the efficacy and validity of your current controls. We will discuss the modern security technologies that are available to mitigate the risks to you data assets. Then we will wrap up the series by selecting the solutions that fit the security technologies necessary to reduce the risk to your data assets, and to discuss how security solutions should work together as a security system.