Security policy 101: How to develop security policies for your business

Part two of Computerworld’s guide to developing cyber security policies based on ISO 27000

Read part 1 of this series: Unsecured and unaware: Why your business needs cyber security policies now!

Why create policy?

Documented and easy to understand security policies are essential for securing your organisation against cyber attack.

While a targeted attack can bring down even a sophisticated organisation, preparation will help reduce your ‘attack surface’, and help you better understand what you’re trying to protect, and how to minimise the risk (and impact) of a security breach.

In part one, we discussed the reasons for developing your security capabilities, the changing tide of privacy awareness and new data breach legislation being introduced by the Australian government.

A major theme from part one was that “many security threats are relatively unsophisticated and rely on unmaintained systems, social engineering and poor business policies and processes”.

So what can you do with no resources, no time and no clue?

Well, the answer is pretty simple: Do something! Make a backup, change your passwords — don’t just sit there and wait for the inevitable to happen.

Make security part of your business culture. Raise the bar on security issues and work deliberately to improve your security preparedness, policies, and procedures. You don’t need to be a security or tech guru to do this; you just need to consider your business rules, requirements and contingency plans.

Click here to jump straight to the quick and dirty guide to security policy creation

You can start understanding and improving your security requirements by documenting your business rules and security policies in plain, easy to understand language.

These rules and policies can be further developed to create comprehensive checklists for managing a range of scenarios and incidents — checklists to handle processes from hiring and firing, through to a suspected malware infection.

With good policy documentation, the process of securing IT is formalised and greatly simplified. Good policies are easy to understand, reasonable, enforceable, and up-to-date.

One of the biggest issues facing any IT team is that of the shifting goalpost. Today you are secure; tomorrow the director is on the phone demanding remote access — no clear policy and a knee-jerk reaction? Bam! Your security is broken.

Policies define what needs to be considered before managers, staff, and even clients make haphazard changes to your business rules and infrastructure. Policy documents get everyone on the same page and are the cornerstone of the information security process.

Facilitating a cyber security policy discussion

Security is about thinking deliberately and methodically about: the types of scenarios that could occur; determining what financial and operational impacts those scenarios would have on your business; then implementing technical or insurance measures to minimise the risks, and improve your ability to recover quickly from a security incident.

A common approach to managing security policies is to adopt a recognised international standard such as the ISO 27000 series. These standards lists a whole range of considerations and scenarios that require policies and controls: managing internal business structures; segregating duties; malware protection; encryption; information sharing; physical access controls; data disposal and a whole lot more.

The themes for our Security Policy 101 discussions are loosely based around concepts of ISO 27000. Our goal isn’t to make you ISO 27000 compliant, but we are going to move in that direction. This guide will help you take the first steps to thinking about security and how to document policies and controls.

Keep in mind, that your business or industry may have mandatory security standards that you need to be aware of. This discussion isn’t aimed at compliance with any specific standards, what we’re trying to do is make the “every day” business more secure. Take a moment to familiarise yourself with the rules if you’re in (or work with) industries such as health care, insurance, finance, payment/credit cards, or government.

For a small organisation with almost no security policies in place, your discussions should be about pragmatic changes and processes that help you make yourself more secure than you were last week, or last year.

The following is a list of some things to consider. They are grouped by themes and can be used to help guide your security policy deliberations.

Browsing the list, you may be able to identify some “easy wins” that will improve your security immediately. Or, ideally you could sit down with your work colleagues and spend a few hours to develop a plan that helps your organisation work towards a formal cyber-security strategy and policy document.

You may wish to develop a document template to make it easy to flesh out your security policies. Start with a simple title, date, short description, goals, and any checklists that need to be followed. This doesn’t need to be complicated, but if you don’t write it down you’re not really developing policy, you’re just having a talkfest!

How to read (and use) the guide

If you’re here, you’re probably interested in improving your security. This article intends to provoke your thoughts and discussions on the topics of information security policy.A frequent issue with small organisations and policy creation is that they simply don’t know where to begin. This guide can help you by adding some structure to your security policy creation.

The guide will probably serve you best when you are in the midst of your policy deliberations. A first-pass skim of the bullet points will give you food for thought. Then, bookmark this page and set a reminder in your to-do list the hardest part of creating policies is getting started!

Click here for the quick and dirty guide to security policy creation

Nikolai Hampton holds a Master's Degree in Cyber Security and is a director of Impression Research. He consults on matters of privacy, security, digital forensics, and incident response. His focus is on the correct application of cryptography. He is passionate about educating business on complex security issues. Follow Nikolai on Twitter: @NikolaiHampton