By: Lisa DuBrock, CPA, CBC
Whether you are tasked with writing your organization’s Information Security Policies or updating an existing security policy or security policies, knowing what is in a well crafted policy is important. Below are details of many of the areas you should include:
Security Definition – All security policies should include a well-defined security vision for the organization. The security vision should be clear and concise and convey to readers the intent of the policy. Also included in this section should be details of what if any security standards your organization is following. Examples of which are ISO 27001 Information Security Management System (sometimes still referred to as ISO 17799), NIST Standard (National Institute of Standards and Technology) or any of the other standards available to you.
Enforcement – This section should clearly identify how the policy will be enforced and how security breaches and/or misconduct will be handled. Whatever enforcement actions you enact should be cohesive with the enforcement actions that you already have in place for any enterprise security breaches.
User Access to Computer Resources – This section should identify the roles and responsibilities of users accessing resources on the organization’s network. Procedures should be included such as but not necessarily limited to:
Obtaining Network Access and Application permissions
Prohibiting personal use of organizational computer systems
Use of portable media devices
Applicable e-mail standards of conduct
Specifications for both acceptable and prohibited internet usage
Account termination process
Threat notification procedures
Security Profiles – This section should include information that identifies how security profiles will be applied uniformly across common devices (e.g. servers, workstations, routers, switches, firewalls, proxy servers, etc.)
Sensitive data — This section addresses any information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
Passwords – This section should state clearly the requirements imposed on users for passwords. Length, character set, # of times the password can be entered prior to it being disabled, # of days the password is good for, and # of unique passwords required prior to reuse.
E-Mail – This section includes how to handle attachments, through filtering, personal use of the e-mail system, language restrictions, and archival requirements
Internet – This section is about usage and what content filtering is in place.
Anti-Virus – This section identifies the frequency of updating the file definitions as well as how removable media, e-mail attachments and other files are scanned.
Back-up and Recovery – A comprehensive back-up and recovery plan is included here. This section may be separated from the policy as a whole and included in a comprehensive Business Continuity Plan Template for your organization
Intrusion Detection – This section discusses what if any Network Security Intrusion Detection or Prevention System is used and how it is implemented.
Remote Access – This section should identify all the ways that the system can be remotely accessed and what is in place to ensure that access is from only authorized individuals
Information Security Auditing – How are all the security programs reviewed and how frequently
Information Security Training – Training occurs in many different flavors. One of the types of training required in an organization is Awareness Training. The policy should document what sort of awareness program is in place and how is it communicated on a regular basis.