Got Security Policy? Part 2: No Documented Policy

Top Ten Sections in a Security Policy

In my last post, I asked you where your organization sits in regards to a Security Policy. If you answered "We do not currently have a documented Security Policy", this post is for you. Below I describe, at a high level, the top ten sections you should ensure you include in your Security Policy. This information can also be helpful for those who want to either check, or beef-up, an existing policy.

Obviously, each organization's requirements will vary depending on the size of the company (e.g. number of employees, geographic locations, etc), nature of the business (e.g. manufacturing, retail, financial, healthcare, etc.), and compliance requirements for any applicable specific regulations or standards.

The information I've provided below is simply a rough outline of the top ten items and is not intended to be comprehensive. You will likely have a different outline once you've assessed the needs and risks for your organization, and that is just fine. However, I also suggest you include the points I identify below.

One more note before we begin: there is a lack of a separate Incident Response section due to the fact most organizations separate Incident Response into an entirely different document. If your IR plan is straight-forward and brief, you may want to include it within this policy as its own chapter or section.

There are many companies who can help you assess and develop a comprehensive Security Policy based on your organizations needs (yes, we can help you).

You should consider the following ten sections for your Security Policy:

1. Introduction
This section should describe why the policy exists, how and who is responsible for updating, maintaining, and enforcing the policy, and what is expected of employees in regards to following and enforcing the policy.

The policy should also describe the organization's security stance and mission for protecting company, client, and personnel information. A glossary of common or internal terms is also helpful.

Having the CEO, CIO, CSO or collective group responsible for the Security Policy (e.g. a Security Committee) endorse the Security Policy in a formal statement or letter (within the policy) is also important. At the very least, you will want to include some executive endorsement or support for the policy since this is not required by some security standards.

2. Overarching Policies
This section should define the roles and responsibilities of the organization regarding enforcement of the policy (e.g. Users, Management, Systems, Security Committee, etc.). Your overarching policies should describe how the organization manages compliance with the policy, including violations, reporting, and any disciplinary actions. 

3. Information Security
This section should be very specific about how you classify public and private information (e.g. internal use only, restricted, confidential and proprietary, etc). This includes how to classify, declassify, mark, label and destroy such information.

This section should also include your determined level of protection for your sensitive information, including approved/authorized encryption.

Lastly, this section should detail intellectual property owned by the organization (e.g. patents, trademarks, copyrights, trade secrets, etc) and how to handle each type, including use of other organizations' intellectual property.

4. Personnel Security
This section should describe how the organization ensures the personal well being of employees, contractors, visitors, etc. This can include background check policies as well as how the organization protects employees' personal information.

5. Physical Security
This section should describe the organization's physical access controls (e.g. electronic cards access systems, video monitoring, security guards, etc). This section should also detail facility access for employees, visitors, vendors, contractors, etc. If you use a DVR, detail the organization's policy on monitoring, use and disclosure of surveillance video to the proper authorities upon legal request. 

It is important to also include details about visitor controls and the use of log books, visitor badges, restricted areas and restricted items, non-disclosure agreements, etc. You should describe your delivery and acceptance guidelines (e.g. company versus personal mail and package delivery, etc.) in this section.

6. Hardware Security
This section may fit within an overarching section for those with a relatively minor hardware inventory. However, if your organization has its own data center and utilizes a lot of different types of servers (e.g. security devices, media, etc.) you can make "hardware" its own section.

Use this section to describe how you administer your hardware (e.g., servers, desktops, laptops, firewalls, etc.). For example, do you allow employees administrator rights to their assigned machines? If the answer is no, you should describe in detail how you manage the installation of hardware and peripheral components. 
You should also describe your inventory control process and return policies regarding employer property upon termination.

Describe in detail how employees can use employer property and the responsible parties involved with safeguarding the organization's assets. 

7. Software Security
As with the hardware section, you may elect to incorporate this into another section if your software footprint is not significant.
This section should describe the software supported by the organization (e.g. operating systems, productivity software, proprietary software, etc.). You should document any internal software owned and developed by the organization and appropriate use and ownership of such software.

You should also describe, in detail, the appropriate use of copyrighted software and licenses, purchasing, auditing, reporting, and potential ramifications of non-compliance.

8. Information Access
Use this section to describe how access to company systems and resources (assets) is documented, approved, assigned, and controlled. You should describe how the use of systems banners and disclosure agreements are used to protect company assets.

Furthermore, you should describe your user, group ID and password policies as well as remote and wireless access restrictions and requirements. This is in addition to describing the proper use of authentication devices (e.g. bio readers, PINs, access cards, hardware tokens, etc).

9. Operations Security
If you monitor your employees web traffic or access to assets, you should include your consent to monitoring statement and language in this section. You should also describe how and when you utilize confidentiality notices (e.g. documents, e-mail footers, etc).

This section is also a good place to discuss the use of removable media (i.e., USB drives, cameras, mp3 players, smartphones, PDAs, etc).

Lastly, you should outline your session controls such as the use of screensavers and locking PCs while stepping away.

10. Exceptions
Let's face it, no policy is perfect; therefore, there will be exceptions. You should build a vehicle for which to request and report exceptions. This is an entirely different topic, which I may tackle in a future post.

Final Comments: Depending on how you structure your policy and how important communications are to your organization, you may want to consider a separate section for "Communications Security". This should include use and security surrounding telephones, cell phones, and smartphones, conference calls, meetings and conferences, facsimile, voicemails, and e-mail. You can also combine language about consent to monitoring and acceptable use of the Internet and Web browsing in this section, rather than have a separate acceptable use document.

I hope this information is useful to both those starting from scratch and those who just want to improve on an existing policy. Don't worry if your policy is brief when you are first starting out; something is better than nothing. Start with the items most relevant to your organization and build it as you grow.

Stay tuned for communicating, updating, and enforcing your Security Policy - and I promise the next post will be way shorter.