Add to collection(s) Add to saved
  1. No category
Uploaded by canadaonkar

Security Policy Cheat Sheet

advertisement 
Security Policy
Cheat Sheet
What is a Security Policy?
Security policies are documents that set out executive instructions, business
procedures, and processes related to security controls, introduced to reduce the
security risk to the organisation. When personnel are aware of and follow good
company security policies, the likelihood of a security breach is greatly reduced.
This, in turn, lowers the overall risk level of the Information Security Management
System (ISMS) to the business. Security controls are a requirement for businesses
aiming to comply with data privacy laws such as GDPR, and for those aiming to
become certified in a security framework.
What is a Security Framework?
A security framework is a set of recommended security controls, guidelines or best
practices that are often Industry Standard. Sometimes security frameworks are set
by government bodies such as those from NIST, in the USA. They can be set by
organizations such as the International Organization of Standards (ISO). A
framework will set out controls that are required to be implemented by an
organization aiming for certification.
Once the organization complies with the applicable controls, it must undergo an audit
to confirm the controls are in place. After a successful audit, the organization may
achieve certification for a period (normally 1 or 3 years).
Certification under ISO 27001 may be a requirement under a contract with a
customer or used to attract customers who require their suppliers to achieve
certification before entering business with them. Ultimately, it revolves around money
but has the added benefit of making organizations think about the security of data.
Writing Policies
To make policies effective, there are several things to consider:
Layout
The document must flow well. It should follow a logical order that makes sense to the
reader. When you read a book, you don’t start at chapter 3, move on to chapter 7
and then back to 1. If you read like that, the story becomes jumbled and hard to
follow. Start at the beginning of the procedure and make logical steps throughout.
A suggested format:
•
•
•
•
•
•
•
•
•
•
•
•
Title and reference number
Owner – Is the person with overall responsibility for the document
Record of Approval/Executive Sign off
Version control – A table showing previous versions and changes
Control matrix – A table with references to the required controls
Purpose – The reason why the policy exists
Scope – The areas of the business the policy covers
Responsibilities – The people required to act within the policy
Definitions – Information about the acronyms used
Procedure – Detailed instructions on the steps required
Additional sections and subsections
References – to other documents
Readership
When writing policies, you need to think about the people who are reading the
documents. Are you the CEO of a small tech start-up of fewer than 10 employees,
where everyone lives within 15 miles of the office? Are you the IT engineer for a nonprofit with 100 employees based all around the country? Are you the Governance,
Risk and Compliance Analyst for a global enterprise? The number of people reading
your policies matters, but not as much as the actual people reading them.
Who are the readers? Will they understand the information?
•
•
•
Professionals
Manual labour
Technical specialists
Is English their native language?
•
•
Aim the writing style and reading age towards a young teenager
Do you need to get the policy translated?
Is the policy to be read by all employees or a select few?
•
Do you need to have the janitor read the Data Backup policy when they only ever
sign in to read their payslip or request cleaning materials?
Accountability of Readers
To comply with different security frameworks, your employees may be required to
sign to confirm they have read and understood the policies required to complete their
duties. You must implement a way for this to happen that cannot be misrepresented
and is auditable. Some companies provide this through the internal Learning
Management System (LMS) or host the policies on an external platform. Users sign
in using single-sign-on, read, and sign to confirm they understand. You can set the
readership of the policy (Entire company, selected departments, or people). Doing it
in this way ensures you meet the requirements of the controls.
Length of a Policy
Is it a Technical Policy or Procedure?
•
•
•
•
•
If the document is not technical in nature or purpose, then keep it simple
Don’t fill it will fluff that doesn’t need to be there
Don’t expect employees to read a 45-page policy and understand anything at the
end of it
It is better to have 2x 15-page policies, than 1x 30-page policy
Stay direct, clear, and concise
Legal Terms and Language
99.999% of your employees do not understand Legalese or the legal language
written in English. If your policies contain this, remove it, or convert it into
understandable, direct, clear, and concise terms.
Title and Reference Number
When you are naming policies, try and use names that fit with the content and if you
are applying for certification under a standard like ISO 27001, use names that
correspond to the controls or areas that are required. Set up a standard naming
convention that can also be used to reference the document within a master
document control method. Examples could be:
•
•
•
DEV-SDLC-POLICY Software Development Lifecycle Policy
SEC-MDM-POLICY Security & Mobile Device Management
IT-SAFE-USE-POLICY Safe & Acceptable Use Policy
Templates
Templates, when used the correct way may help you. However, if you use a
template that has been written for a different company, you may find that it is not
suitable for the requirements of your business, and it could cost you repeat audit
costs and consultant fees. Purchased templates that have been designed for the
industry, specific to certifications such as ISO 27001 or SOC 2 may be just the thing
to help you implement the required documentation. You may even wish to create
your own.
Once you have an acceptable template, you should use the same template for every
policy. Introduce your company branding, font selection and colour schemes. Trust
me, your policies will look great, and the consistent approach will provide a familiar
feel to company documentation among employees.
Every policy must be written specifically for the organization implementing it.
Re-using content from policies published online by other companies will lead
to problems and should be avoided at all costs. Spend the time to customise!
Stuart’s TOP TIP – Tell them why!
Security is often seen as the department of NO! This can bring in some negative
reactions or feelings from people who have been doing their job the same way for 15
years. Now you are asking them to do something differently. It takes them more time
and they may find that frustrating. Tell them why the controls have been introduced
or the procedure changed. When employees understand the reasoning behind the
controls, they are much more receptive to their introduction.
Security Policy Training
The author, Stuart W is in the process of writing a course to help delegates to
understand the intricacies of Security Policies. The information above is a snippet of
the course content and can be used to help when writing policies within educational
courses such as university degrees or indeed when producing policies for business.
The course will be available in the latter half of 2022. To be the first to know about
the course launch date and maybe a cheeky little discount, please ensure that you
have signed up with the mailing list on the website.
www.techsecscot.com
© Copyright owned by TechSecScot.com 2022
This document is not to be amended, used within course material, or published on
any websites without the prior authorization of the author.
By using this information, you do so at your own risk and any financial losses are the
responsibility of you and you alone.
For information purposes only. This is not legal or consultation advice.
Related documents
7f8bbdb1ddaed4bdc8feaa0d37210031 Feedback-Plan-Template
7f8bbdb1ddaed4bdc8feaa0d37210031 Feedback-Plan-Template
ISO 27001 Certification Consultant
ISO 27001 Certification Consultant
PRESS RELEASE: McCoy Bolt Works, Inc. announced the receipt of
PRESS RELEASE: McCoy Bolt Works, Inc. announced the receipt of
Lessons Learned Template
Lessons Learned Template
January 2, 2009 Employee name 1900 N Third Street
January 2, 2009 Employee name 1900 N Third Street
Ansi Z10 - ISO 45001 Comparison Chart Nov 2020
Ansi Z10 - ISO 45001 Comparison Chart Nov 2020
iso 27001 certification
iso 27001 certification
iso 31000 internal auditor course
iso 31000 internal auditor course
ISO Certification
ISO Certification
iso certification in hyderabad
iso certification in hyderabad
EN ISO 9712 Nordtest DOC GEN 010 6 4
EN ISO 9712 Nordtest DOC GEN 010 6 4
Download
advertisement