For a lot of SMB’s a good security policy is the basis for a strong network defense. However for those companies who have not designed and implemented a security policy within their organizations, security issues are lying in wait.
A security policy is the backbone and foundation for information security. However in this day and age some SMB’s have ignored or not kept up with current security concerns and their policy or lack of policy may allow for a severe security breach. This may in fact prove fatal for a SMB.
In Part II of my series for SMB, I am going to look at what makes a good security policy.
1. Executive Management Buy In
All security policies should begin with an executive management summary that includes the purpose, direction and approval of the policy. This informs IT as well as employees that security is supported in all aspects of the business. Security needs to be addressed from a top down approach when it pertains to support. By supporting security initiatives from this approach employees know that security is not only implemented but supported at all levels.
2. Policies
In Part II of my series for SMB, I am going to look at what makes a good security policy.
1. Executive Management Buy In
All security policies should begin with an executive management summary that includes the purpose, direction and approval of the policy. This informs IT as well as employees that security is supported in all aspects of the business. Security needs to be addressed from a top down approach when it pertains to support. By supporting security initiatives from this approach employees know that security is not only implemented but supported at all levels.
2. Policies
A security policy is actually a collection of different types policies put together to create one policy. The other types of policies are created from different areas that need to be secured, such as identification, authentication, authorization and auditing. Other types of policies would include a user access policy, password policy, vpn policy, remote access policy, wireless policy and acceptable use policy. Each one of these policies would address a certain set of guidelines and procedures when implementing these technologies.
3) Standards
Each policy will have standards of how the technology can be implemented. Standards are important because they allow us to measure by a metric. For example, if the password policy has a minimum length of 8 characters, then when we set passwords we have a value to measure if we have met the standard.
4) Guidelines
As mentioned earlier, each policy may also have a set of guidelines. Guidelines are helpful because they allow us to implement technology with variables that may differ from one area to another area. Guidelines provide a range of values because if we set a standard it may not be appropriate for that technology. An example of a guideline would be the types of hardware purchased for laptops. No one laptop may fit all the needs so guidelines are put in place to ensure secure hardware is purchased.
5) Procedures
These are the details that go along with every policy that explains the how, who, what and when of how the technology is implemented. An example of a set of procedures would be how a Cisco wireless thin client would be installed and managed.
6) Acceptable Use Policy
This is part of the security policy that informs everyone on how company assets and resources are to be used inside and outside of the company. The acceptable use policy has guidelines, procedures and standards from how you can use a company laptop to where you can go on the internet. It is important that companies ensure this is updated and employees are made aware of changes.
3) Standards
Each policy will have standards of how the technology can be implemented. Standards are important because they allow us to measure by a metric. For example, if the password policy has a minimum length of 8 characters, then when we set passwords we have a value to measure if we have met the standard.
4) Guidelines
As mentioned earlier, each policy may also have a set of guidelines. Guidelines are helpful because they allow us to implement technology with variables that may differ from one area to another area. Guidelines provide a range of values because if we set a standard it may not be appropriate for that technology. An example of a guideline would be the types of hardware purchased for laptops. No one laptop may fit all the needs so guidelines are put in place to ensure secure hardware is purchased.
5) Procedures
These are the details that go along with every policy that explains the how, who, what and when of how the technology is implemented. An example of a set of procedures would be how a Cisco wireless thin client would be installed and managed.
6) Acceptable Use Policy
This is part of the security policy that informs everyone on how company assets and resources are to be used inside and outside of the company. The acceptable use policy has guidelines, procedures and standards from how you can use a company laptop to where you can go on the internet. It is important that companies ensure this is updated and employees are made aware of changes.
If you would like to get some more information of creating a security policy and download some templates for the creation of different types of policies try SANS: Information Security Policy Templates
Next month in part 3, I will be discussing how SMB’s can implement and improve security awareness.
Thank you and if you have any questions during the series please feel free to email me at wpruett@centriq.com
Tom
Pruett
Consultant/Instructor
Connect with Tom!
LinkedIn
Facebook
Twitter
KC IT Security Blog
YouTube
Consultant/Instructor
Connect with Tom!
KC IT Security Blog
YouTube
Wow, Nice post.....security training companies uk
ReplyDeleteGreat post.........Seguridad Privada cursos de formación
ReplyDelete