Following on from the initially dull sounding Inventory control we move swiftly to the equally non inspiring Policy control, but that’s just on the face of it. At this point it’s probably worth disclosing that I think policies, standards and guideline are fantastic…when done well. Policies allow you to document the high level principles of your security, which gives you something to aim for with all the other controls.
In its simplest form we can create an Information Security Policy to guide all other policies, here are some ideas for its content:
- We will protect the confidentially, integrity and availability of our assets from malicious intent, mistakes and mis-configuration
- As custodians of our clients’ data we will protect those assets as our own
- Access to data will be on a least privileged and need-to-know basis
- Assets will be protected through defence in-depth
- List all the controls you will implement, use the control environment in this blog series as a base. e.g. Inventory, Vulnerability management, Penetration testing etc
Two additional tips for policy writing, firstly keep them short as no one will read them if they’re long (The above overarching policy should only be two pages max) secondly use plain English.
We now have a high level policy which says we are going to do the right thing with security. The next stage is to create standards at one level below, again documenting some of the controls you would like to implement.
Below is a list of standards to consider at a minimum:
- User access control
- How accounts are created managed and deleted, and most importantly now shared.
- Server management
- How servers should be commissioned, hardened and maintained
- Network management
- How the network should be protected e.g. with firewalls etc. and some high level principles around ingress and egress.
- Secure application development
- does what it says on the tin
- Vulnerability management
- Covered in detail in a future post, but how will you know if you have problem and how will you test all your controls?
- Acceptable use standard
- This is the one all employees should read and says not to download dangerous files, risk client data, or access sites or files they know they shouldn’t.
As for content keep it simple, as an example here are some control you should include in a server management standard:
- Ensure patches are deployed in a timely manner
- Ensure services offered are kept to a minimum
- Implement one primary use for each server
- Ensure all default accounts, passwords and content are removed
- Harden the server with Vendor recommendations or from 3rd parties such as The Centre for Internet Security
As you can see policies are a force for good and if kept simple and realistic they can have a huge impact. Over the years we have seen a large number of poorly written, often large, policy sets written in fancy language, but are actually very ambiguous and hard to read.
We are in the process of creating free to download templates for security policy and standards, join our mailing list to keep updated when it’s ready to be released.