Security Policies and Procedures
The information security policies protect your company against the external or internal security threat to the important data of your company. If you create password policies, install firewall, limit access to data but forget to create security policies and define a procedure to implement it, you are locking all your doors but leaving windows open. All your security measures are useless if you have not defined a proper security policy for your company to protect your data.
An information security policy is a set of rules and practices that define how the sensitive information of a company should be managed, protected, and distributed within the organization. The different aspects of an information security policy include labeling the information, modification of the information, accountability, and information ownership.
Each organization has an organization structure and the staff members at different levels needs to access different types of data. The information classification and the data distribution policies are therefore important for a company, so that the staff members at lower level should not be allowed to access data stored for higher level staff.
Besides, all type of information that a company stores is not equal and therefore does not require same level of protection. Therefore, information security classification as well as the identification of senior management as the owner of information is important. The type of information security classification in different types of organizations can be:
| Nature of organization | Types of information security labels |
| Business Sector | Public, Private, Sensitive, Confidential |
| Government Sector | Unclassified, Unclassified but sensitive, confidential, Secret, top secret |
It is important to remember that for each type of information, an organization needs to develop policies about what information is available and for what purpose it will be disseminated. The main objectives of information security policy are:
- Integrity: The data is not tempered and modified undetectably.
- Availability: Data is available when it is required. This means that all the systems that are involved in data security, data access or processing or data distribution function properly.
- Disclosure: The disclosure of data should be as much, as it is important for the user to perform his task.
Another important part of an information security policy is defining the authority and the delegation of authority for the policies. A system may define four types of users involved in security process. The different types of user roles involved in security process are:
| Users | Description |
| Owner | A senior manager or decision maker who owns the information |
| Custodian | People responsible for the maintenance of data such as network administrators and backup operators |
| User | The people who use data |
| Security Professional | People who are responsible for the security of data such as policy developers and testers who test data for security lapses. |
| Auditor | People who check that the security policies, guidelines, and practices are being followed in the company properly. |
A policy should define the roles and responsibilities of each type of user role involved in the security process. If the security system supports groups then the policy should define whether a user can belong to more than one group, how to resolve conflicts between individual user and group privileges, and individual accountability requirements within a group.
Implementing Good Security Measures
Implementing good security measures in your company can ensure the security, integrity, and availability of data. The good security measures to protect the information data of your company can be achieved by building a good security policy for the company besides other things. A security policy is the foundation of security measures taken by the company. It is the first security measure to reduce the risk of unacceptable use of company’s information resources.
The security policy should precisely inform all the employees of the company about the general use of company’s resources, their acceptable use, the prohibited activities and the security related responsibilities of the employees.
The security policy should describe the acceptable use of all the assets of the company that include hardware, software, and Internet. If an old security policy already exist then instead of wasting time in creating a new policy, it is better to rebuild the old one. The security policy should be updated time to time with the new threats coming up. Some other security measures that should be taken by an organization to implement good security are:
- Change Passwords: The passwords of all important servers that host important services must be changed frequently. For example, you should change passwords for servers that host system accounts, user accounts, firewalls, and routers. Frequent change in passwords ensures that an attacker cannot gain access to the system easily.
- Review User Accounts and Access Lists: The regular review of user accounts and access lists allow you to keep your network updated with the employees who access the network resources. Many times, the employees who have already left the company still have access permissions to company’s resources. This can lead to security breach.
- Create a “No Wireless” Policy: Wireless access devices are hard to secure and monitor. Therefore they should be turned off on the network. Personal devices should not be permitted on a corporate network. If you must have wireless corporate assets, you should create a policy to cover these devices.
- Implement Intrusion Detection System: The intrusion detection system will detect and prevent all attacks aimed at a system/network.
- Create an Incident Response Plan: The incident response plan should be created and Computer Emergency Repair Team (CERT) and Secret Service should be included in it. This ensures that staff members or security personnel know who to call first and how to investigate an event in case of an emergency or theft.
Information Security Processes
The information security process is the method that an organization uses to implement security in the organization. It includes elements such as:
- Risk Assessment: This includes the identification of threats and vulnerabilities of the system and assessing the risk associated with them and the probability of their occurrence.
- Strategy: This includes the plan to mitigate risk that is associated with the security policies, procedures, and training. The plan should be reviewed and approved by the board of directors.
- Authorization: This includes the assignment of roles and responsibilities to the users involved in the security process.
- Security Monitoring: This includes the use of various methods that will be used to ensure that the security controls are effective and performing intended tasks as desired. Besides it includes ensuring that the risk is appropriately assessed and mitigated.
