A guide to creating role-based security policies & standards that live & breathe
Is your organisation drowning in policies? Are your policies unclear and untraceable to your business objectives? This guide (and the associated series) is intended to help you align your security policies & standards with your business needs.
All too frequently security policies and standards are written in a vacuum with no tangible relationship with the business, its objectives, risk appetite and its way of doing business. Or worse, based on a set of templates that have not been carefully tailored to suit the organisations unique needs. An established institution is going to have a very different approach to security than a start-up. Especially where an established institution has a large number of employees, physical assets, legacy systems, customers and governance arrangements brought about by regulation and/or shareholders. Start-ups are often more open to opportunities and risks, have fewer physical assets and may have no existing customers. Be sure to develop policies and standards that provide a good fit for your organisation.
We can look to industry standards such as ISO 27001, the Australian Government Information Security Manual (ISM) and the US Cyber Security Framework (links to each below). However, templates and standards don’t do a couple of important things. Firstly, standards and templates don’t provide priorities unique to your business; but effective risk management does (refer to the previous article – link below). Secondly, standards and templates don’t assign responsibilities to people within your organisation. Assigning responsibilities to people is the first step in ensuring they are carried out. We at Arcord Cyber Security (link below) provide security consulting services to create tailored policies and standards. We’ve also developed our TrustyGate software platform (link below) to make this process as simple as possible for small to medium sized organisations.
Our TrustyGate software platform (link below), can be used as a basic system for creating and hosting your policies and standards. It allows you to create a policy or standard as a collection of statements. Each statement may have references that help explain its relevance and help implement it. Firstly, each statement should reference a role. Statements can later be filtered by role to find the relevant statements for each role. Secondly, statements may reference controls from the control library. Where those controls are used to mitigate risks on your risk register, you can trace individual statements and find their reason for existence. A statement with no purpose should get a purpose or be put in the trash. Thirdly, statements may reference compliance requirements from the compliance register (e.g. privacy) to highlight their importance. Finally, but most importantly, statements may reference performance checks that measure the continuing effectiveness of the statement (and referenced control). Performance data can be collected over time to demonstrate conformance and identify where corrective action may be necessary.
Some examples of policies and standards that are often required include ones for program management (e.g. creation of Information Security Officer role, governance committee), information asset management, risk management, human resource security, physical security, identity and access management, IT operations security (change management, protection against malware, backups, logging and monitoring), network security (e.g. segregation of networks, encryption in transit, wireless), information security incident response, system acquisition and development (e.g. secure coding, security testing), supplier security, business continuity and acceptable use. It’s also often necessary to create policies and standards for hot topics such as mobile computing, cloud computing, Internet of Things (IoT) security and ‘big data’ security. Our TrustyGate software (link below) gets you started with basic content in these areas, which you should refine based on your own needs. It also provides basic change history and an option for change control that requires Document Owner approval before publishes changes. TrustyGate also triggers an annual review of policies and standards to ensure they may remain current and appropriate.
We plan to develop the document/policy management component of our TrustyGate software platform much further including a better rich text editor, better forms and a capacity to perform assessments (identify whether the policy has been implemented and whether it is operating effectively or not). If you have any questions or feedback, or would like a trial account, please don’t hesitate to visit the webpage or get in touch by emailing us.
Other articles in this series:
- A guide to winning trust and getting the most out of your security program (1 of 5)
- A guide to knowing your assets and avoiding a one size fits all approach to security (2 of 5)
- A guide to managing your security risks now and into the future (3 of 5)
- A guide to measuring and improving conformance with security policies and standards (5 of 5)
For more information:
Building AI-powered solutions for cyber GRC.
6 年Please comment here and let us know if you'd like to get rid of policies entirely... but at the same time please let us know what should replace them... checklists? social contracts? artificial intelligence?