IT Security Policy

by on 11/03/2010

This article discusses the need for an IT Security Policy, what that policy should contain and how organisations should go about creating one. It also looks at the options for monitoring and / or restricting inappropriate activity – what solutions are available and how effective they are.

FITM is experienced in the creation of IT Security Policies and the technical options for monitoring those policies. Please contact FITM for further information.

Introduction

A company’s systems and data are critical to its survival, and so it is essential that every company with employees should have an IT security policy to protect them from accidents and behaviour deliberately designed to cause difficulties.

Having an IT security policy is increasingly important to any established and well-managed company. Customers, auditors, staff and potential new staff are looking at security policies and a good policy goes a long way to minimising the risks of illegal staff activity and bad PR.

Writing an IT Security Policy

Introduction

Writing an IT security policy is not a trivial task. There are many topics to be considered and executive decisions to be made balancing risk factors with potentially onerous and unpopular staff restrictions.

Creation

FITM’s recommended approach is to prioritise policies and write those that are deemed most important first rather than trying to complete all policies at once. Once written, policies can be inserted into a master IT Security Policy document. A checklist of policies is given in appendix 2 and of sections in the master document in appendix 1.

For each individual policy, the first stage is to discuss what is required with key company stakeholders. For example, should all staff have access to Internet email and social networking sites such as Facebook and Twitter? Perhaps they should be banned altogether for some staff, or only allowed at certain times of day. These discussions should be facilitated by someone familiar with the options available as well as common practice.

Once a policy is decided, then it can be documented. Libraries of different IT security policies are available – these are of variable quality, but the best can vastly shortcut the documentation process at a small cost.

Technological and company changes mean that the IT Security Policy will change over time and a process should be put in place to review and update the document on a regular basis. For example, 10 years ago no company would have included guidelines on social networking sites such as Facebook and Twitter, but today that guidance is essential.

Depending on the volume of change, it may be enough to simply reissue the policy, perhaps highlighting the changed sections. If the change is large, for example if there is a new policy, then the education process may need to be repeated.

Education

A vital part of the creation of an IT security policy takes place once the document is agreed and issued. The document needs to be sponsored at the highest possible level and training sessions need to be held to explain the policy, the rational and the possible penalties for non-compliance.

Education sessions should then be organised so that the new policy can be discussed. This is critical to ensure that everyone in the company understands the reason for the policy and buys in to its implementation. It is also advantageous to get every employee to sign that they have received, read, understood and will abide by the policy.

A process needs to be put in place to repeat this education for every person joining the company, including third party staff and contractors.

Monitoring / Restricting

A decision should be made as to the level at which the IT security policy will be monitored. There are fundamentally 3 options:

  • No monitoring.
  • No active monitoring, but activity logged. This enables activity to be investigated in retrospect if inappropriate behaviour is known about or suspected.
  • Active monitoring. In this regime, IT systems or manual processes are used to actively monitoring staff behaviour.

Choosing to do no monitoring is clearly the easiest from a technical point of view. Either of the other two solutions necessitates IT systems and changes. For example, systems may be needed to track every email sent and received, Internet activity, instant messaging activity, social messaging activity (for example tweets on Twitter) etc.

Technical solutions also exist to restrict activities. The most common of these restrict particular types of Internet activity and can be fine-tuned to allow or disallow certain types of Internet sites, at certain times of day and for certain groups of people. If inappropriate staff behaviour is suspected or detected, these systems can be used to immediately restrict access for the individuals concerned.

In practice, attempts to monitor all activity invariably miss some aspects – or example, few companies monitor text messages from company mobile phones. Given that the majority of staff have access to IT systems at home or on their personal smartphones, it is arguably far more important to educate staff about behaviour rather than attempt to police it. Business decisions will certainly be needed as to whether IT costs are justified.

Appendixes

Appendix 1 – Sections

The contents of an IT security policy are fairly standard and include the following sections:

  • Summary.
  • Version number and change record.
  • Introduction. E.g. “the purpose of this IT security policy is to manage risk and reduce it to an acceptable level”.
  • Definitions. An IT security policy should be written for a non-technical audience but using technical terms is sometimes unavoidable and these should be defined.
  • Scope. The people to whom the policy applies and in what circumstances.
  • Authority. Details of whatever authority supports the policy, for example the Board or the Managing Director.
  • Objectives and basic principles. E.g. does the company operate on a “need to know” or a “need to restrict” basis?
  • Roles and responsibilities. Who is responsible for the development and ongoing maintenance of the policy? Who is responsible for ensuring that all staff are familiar with and adhere to the policy?
  • Policies. See appendix 2 below.

Appendix 2 – Policies

Possible topics for an IT security policy include, but are not limited to:

  • Acceptable use policy
  • Backup policy
  • Confidential data policy
  • Data classification policy
  • Encryption policy
  • Email policy
  • Guest access policy
  • Incident response policy
  • Internet policy
  • Mobile device policy
  • Network security policy
  • Outsourcing policy
  • Password policy
  • Remote access policy
  • Retention policy
  • Third party connection policy
  • Virtual Private Network (VPN) policy
  • Wireless policy

Not all of these are appropriate for every organisation and there will be clear priorities even among those that are appropriate.

How Can FITM Help?

FITM provides consultancy to help you write your IT Security Policy and select and implement technological solutions enforce and monitor that policy. Contact FITM for further details.

Leave a Comment

Previous post:

Next post: