Policies and procedures aren’t captivating, but they are critical to maintaining your security through the correct use of your systems. Here are the must-have policies that you require in 2021.
The Exciting World of IT Governance
IT governance is about putting in place a suite of policies and procedures that your workforce follows when they’re accessing an IT resource. The documentation forms a governance framework that provides instruction and guidance to your employees. If your staff adhere to the policies they’ll use your IT equipment in the way you’ve prescribed.
Sometimes data protection legislation such as the General Data Protection Regulation (GDPR) requires you to have certain procedures and policies in place. If you have chosen to conform to a standard such as ISO 27001 there will be a mandatory set of governance put into place so that you comply with the standard.
It’s a simple principle. You decide how you want things to be done, document it, and everyone adheres to the stipulations within the documents. It’s just like a miniature legal system. A set of laws are decided, documented, and come into force.
Developing, reviewing, and maintaining policies and procedures isn’t glamorous and it’s certainly not exciting. But it is critical.
The Critical Policies
Even if data protection legislation doesn’t force you to implement policies and procedures, and you don’t follow any optional standards, you still need some controls in place. The policies discussed in this article are the bare minimum you need. They won’t be the only documents you need though, because policies give rise to procedures and other supporting documents.
Policies define the requirements for people’s behaviors and the management of technological controls. They act like a “mission statement” to set the requirements and standards that the organization wants to run to. The detailed step-wise guidance and other supporting information are contained within related procedures, registers, and plans.
Keep your policies tightly-focussed and specific. Don’t try to cram everything into a single document. Keeping them separate helps to cement the idea that the different topics are distinct concepts that people need to be mindful of. It also makes the documents easier to manage through their review and revision cycles.
Give your procedures a coherent look and feel, and include some standard sections in the preamble before you get to the body of the procedure. Include a “Purpose” section that explains the purpose and objectives of the procedure. Also, include a “Scope” section that lists who is governed by the procedure. Does the procedure apply to all staff, or just the users of a certain software package, or only to remote workers? Does it cover contractors and temporary workers?
If there are terms that need explaining, include a list of definitions. If this section is more than half a page or so, you probably need to purge some of the technospeak. Don’t write for technical users, write for every user.
Acceptable Use Policy
The Acceptable Use Policy spells out what is and what is not acceptable use of your IT resources, data, and other assets. You need to formally document that you forbid the download, creation, manipulation, transmission, or storage of:
- Any unlawful, offensive, obscene or indecent images or data.
- Material that is defamatory, threatening, discriminatory, or extremist.
- Unsolicited “nuisance” emails.
- Material that promotes discrimination on the basis of race, gender, religion, disability, age, or sexual orientation.
- Material with the intention of committing a crime such as fraud or other deceptions.
- Material that infringes the intellectual property rights of your or another organization.
- Social media or other public messages that bring your organization into disrepute.
Be explicit that your IT services must not be deliberately used for activities having, or likely to have, any of the following characteristics:
- Intentionally wasting the organization’s—or any other user’s—time, efforts, or other resources
- Corrupting, altering, or destroying another user’s data without authorization.
- Purposefully disrupting the work of other users or the correct functioning of your network and other IT assets.
- Introduce data-interception, password-detecting or similar software or devices to your IT assets.
- Seek to gain unauthorized access to restricted areas of the network.
- Connect any unauthorized data storage device to the network.
- Carry out any activities commonly described or recognized as “hacking.”
- Intentionally or recklessly introduce any form of spyware, computer virus, or other potentially malicious software.
You should also include the range of sanctions or reprisals that could result from non-compliance to the policy.
Data Classification Policy
Different types of data have different values and will produce impacts of different severity if there is a breach of data. Intellectual property, copyright material, company confidential material, and other sensitive data must be protected.
Personally identifiable information (PII) must be protected too, and in many jurisdictions, it must be protected according to data protection legislation. Some types of PII are considered special categories of data—medical information and the PII of minors, for example—and must be processed and safeguarded in a particular way.
The only way to clearly capture the different categories of data that you generate, gather, store, transfer, and process is to create a Data Classification Policy. That requires a data audit across your organization to quantify the data you hold.
The scheme can be relatively simple. One common approach is to use:
- Highly Restricted: Highly confidential information. The inappropriate disclosure of this category of data is capable of serious damage or distress to individuals. It may also count as a non-compliance against applicable data protection legislation. Loss of this type of data could seriously damage your interests and reputation or threaten the security of your organization, staff, or your clients.
- Restricted: Confidential information. The inappropriate disclosure of this category of data will cause a negative impact on individuals. It may also count as a non-compliance against applicable data protection legislation. It could damage your organization’s interests and will have an overall negative impact.
- Internal Use: This is information that is considered inward-facing, not public-facing, but no substantive damage will be suffered if it was disclosed.
Although the scheme is simple, performing a thorough data audit and classifying the data can be challenging. You’ll uncover data types that span the definitions and could sit in two categories. The safest way to handle those instances is to classify the data as belonging to the higher of the two categories. Here are examples of data types and the categories they belong in.
- Highly Restricted: Intellectual property, trade secrets, and product development information. Sensitive PII or large volumes of “normal” PII. Information that relates to the safety of individuals, or the security of your organization and its IT resources.
- Restricted: PII, marketing strategies, risk analysis documents, financial records, and accounts.
- Internal Use: Non-confidential internal correspondence such as meeting minutes.
Now that you know what data you hold and are responsible for, you can plan to keep it secure. That requires an Information Security Policy.
Information Security Policy
Also called an IT Security Policy, this is the policy that will probably change the most frequently. Revisions of the Information Security Policy (ISP) can be driven by changes to:
- The company infrastructure.
- The IT infrastructure.
- Your data processing activities and purposes.
- The discovery of new cyberthreats.
- Insights gained from previous cyber incidents.
- External influences such as COVID-19 and the rapid switch to a mostly remote workforce.
Information security is about people’s behavior in relation to the information they are responsible for, facilitated by the appropriate use of technology. Your ISP defines your organization’s overall stance toward ensuring the confidentiality, integrity, and availability of your IT systems and data. It will address topics such as:
- The controls—technological and governance—that must be in place, and who is responsible for supporting them, maintaining them, and reviewing their continued effectiveness.
- The responsibilities of the users of the network and IT assets.
- Compliance with any data protection legislation or other standards.
- Patching schedules and strategies for operating systems, applications, and firmware.
- Access control should be defined for local and remote connections to your IT assets. All user accounts must be issued with a unique ID and password. Two-factor or multi-factor authentication should be used where possible.
- The requirement for a Hardware Asset Register. All IT equipment and assets identified and recorded in it.
- The requirement for an Information Asset Register. This records by department, team, or other sensible logical subdivision, the type of data that they gather, process, and transmit. This might be a requirement under data protection legislation.
- The requirement for a Data Classification Policy.
- The need for a Password Policy. If company-sanctioned password managers are to be allowed they will be listed in the Password Policy.
- The requirement for a Cybersecurity Risk Assessment including when it needs to be reviewed. Reviews can be required according to a schedule or because of an event such as an IT incident or data breach.
- Rules regarding the use of USB ports, removable media, and the use of unauthorized applications.
- The types of logging and the frequency of log reviews or automated log analysis.
- Business continuity requirements. The details will be held in a Business Continuity Plan or Disaster Recovery Plan.
Other requirements may present themselves as you go through the process of creating your ISP.
A password policy establishes the rules for the creation, protection, and use of passwords. The latest advice from Microsoft, the National Institute of Standards and Technology (NIST), and the National Cyber Security Centre (NCSC) all promote changes from established norms. They advocate the use of *passphrases*—three or more words separated by punctuation—rather than *passwords* using number and symbol substitution. Enforcing regular password changes is no longer recommended.
- All system access must be controlled by authentication using unique ID and password pairs as a minimum, and two-factor authentication if possible.
- The first time a user logs in they should be prompted to change their password.
- Weak passwords should be rejected.
- Passwords should never be shared between users.
- Passwords should never be used on more than one system.
- Passwords must not include information that could be socially engineered or guessed. For example, don’t use partner’s or children’s names, anniversaries or birth dates, sports teams, home towns, musical groups, etc.
- Don’t use sequences of keys like “qwerty”, “q1w2e3r4”, or “asdfg”.
- Passwords must never be written down. The only place they can be stored is a company-approved password manager.
- If a user suspects their password has been compromised they must immediately alert the system administrator.
Where it is possible, use two or multi-factor authentication. Automatically checking passwords against the Have I Been Pwned (HIBP) databases can be used to reject passwords that are already in the HIBP databases. If a password is in the HIBP databases then it is already in the databases used in password brute force and credential stuffing attack software.
Incident Response Plan
Your Incident Response Plan (IRP) is the playbook you follow when you have a cybersecurity incident. It’s allied to, but slightly different from, your Data Breach Policy (DBP). The DBP is the set of rules and actions to follow if personally identifiable information has been exposed or destroyed.
You don’t write the lifeboat plan when the ship is going down. You do it in advance and rehearse it. The same is true of your ISP. Include all stakeholders in its development and walk-throughs. These can include IT services, data protection roles, human resources, legal counsel, public relations, and management.
The IRP ensures an incident is handled in a prescribed and effective method, designed to minimize downtime, damage, and data loss. The stakeholders need to rehearse the plan so that it is familiar, trusted, and doesn’t get ignored in the midst of an incident.
By listing actions and assigning responsibilities to teams or departments, everyone knows their role and what needs to be done, and in what sequence.
Rolling The Policies Out
The smooth adoption of procedures depends on a number of factors.
- They must be written so that they can be understood by anyone. Plain English is the name of the game.
- Write them so they are effective, not impressive. No one is going to read something that looks like War and Peace, and even if they do wade through it they’ll never be able to follow it.
- Introduce policies and explain why they are important, both to the organization and the individual.
Review your governance frequently, and accept suggestions from your workforce. They’re the people on the front line following these documents. It only makes sense to hear what they have to say.