--Originally published at The Hitchhiker's Guide to information security… according to me!
Securing a system is like going to a buffet. You have a plate in mind, and you start looking for the food that could resemble the most to the idea of the perfect dish. After searching for a while you start picking up the best food you found and by the end your master piece is completed. In the information security world as well, there are many constraints, behaviors, procedures, steps to be taken, control and security mechanism, risk management frameworks, etc. that you can choose from, and picking the ones that better fit your system requirements is like grabbing all your favorite food and putting it into the same plate… just awesome, and that awesomeness is called a security policy.
A security policy is a document that explicitly states the steps to be taken in order for a company to maintain their physical and information assets secure. This goes from how to educate employees in order for them to correctly comply with the rules being set, to explanations on how to carry out, through detailed procedures, the security measures established. Think it like a constitution where we all agree to follow a set of rules in order to coexist in a peaceful way and build a better future for which we all agree to work for.
Then again, we stumble on the question “Ok, I know the theory but, how is it applied?” and thank God there are people out there that make our mortal lives easier, making frameworks for us in order to not fall into the darkness while we travel through this unknown land.
A security policy framework consist in the four following types of documents.
- Policies: documents that provide the security expectation of the organization. Its compliance is mandatory.
- Standards: document that describes
detail the security controls that the organization must follow in order to achieve the expectations proposed in the policy.
- Guidelines: advices or best practices in the use of information assets in order to more easily achieve the expected goals.
- Procedures: step by step instructions the organization most follow when performing a specific security task.
All of this documents make a good framework to construct your own policy. Now, everything is on our head, we need to land all this information into a real thing of the real world. So you may ask “What does a security policy looks like?” And then I show you some examples.
Examples of the security policies.
Acceptable use policy: this policy describes how employees or users are allowed to use the system. It clearly states what they can and can’t do in order to protect the organization from criminal activity or actions that may reflect poorly on the organization.
Privacy Policy: this refers to the way an organization collects, stores and shares sensitive information either from user or from employees. It also specifies what does an organization collects, what it shares and what are the users or employees obligation when handling information.
Information security policy: this policy designates the roles and authority of the members involved in the administration of information security and also specifies how to handle incidents, where do exceptions apply and what process should be taken in case of a violation.
Security policies could be very specific and full of security controls or more relaxed and carefree. It’s is up to the organization to choose wisely with suits it best. Nevertheless it’s imperative that all security policies are written in a clear, 8th grade language in order for anyone to understand them so that they can comply accordingly.
A security policy is like a piece of art in process, it’s constantly being improved, and for the eyes of the artist it’s never quite done. Your tastes in food change and so does the world. That’s why security policies need to be revisited, updated and being authorized again continuously in order for the organization to be prepared for the new threats and procedures that could apply to the organization’s requirements. So grab the plate that best satisfies your appetite for now because this is a never ending story.
