Question

How internal IT and network risk policies can play an important role in combating staff lack of organisational compliance?

Answer 1

Most small and medium sized organizations lack well designed IT Security policies to ensure the success of their cyber security strategies and efforts. The omission of cyber security policy can result from various reasons, but often include limited resources to assist with developing policies, slow adoption by leadership and management, or simply a lack of awareness of the importance of having an effective web security program in place.

In my previous articles on Data Security and GDPR, we discussed the technical tools that can protect an organization’s data, as well as the new European regulations for data protection. In this article, we’ll bridge the gap between technical solutions and regulatory compliance by taking an in-depth look at why IT Security Policies are important to your organization, and how you can get started on developing your own cyber security program.

A cyber security policy identifies the rules and procedures that all individuals accessing and using an organization’s IT assets and resources must follow. So why do we need to have IT Security Policies? The goal of these network security policies is to address security threats and implement strategies to mitigate IT security vulnerabilities, as well as defining how to recover when a network intrusion occurs. Furthermore, the policies provide guidelines to employees on what to do and what not to do. They also define who gets access to what, and what the consequences are for not following the rules.

Regardless of size, it is important for every organization to have documented IT Security Policies, to help protect the organization’s data and other valuable assets. It is a requirement for organizations that must comply with various regulations such as PCI, HIPAA, GDPR etc. The key factor is to have “documented” security policies that clearly define your organization’s position on security. This can be of critical importance in the event of a data breach and/or litigation discovery.

There are three core objectives of IT Security Policies:

• Confidentiality– the protection of IT assets and networks from unauthorized users.
• Integrity– ensuring that the modification of IT assets is handled in a specific and authorized manner.
• Availability– ensuring continuous access to IT assets and networks by authorized users.

IT Security Policies should be developed with a multi-layered approach. In doing so, there are nine topic areas which need to be addressed.

1. Acceptable Use Policy
2. Confidential Data Policy
3. Email Policy
4. Mobile Device Policy
5. Incident Response Policy
6. Network Security Policy
7. Password Policy
8. Physical Security Policy
9. Wireless Network and Guest Access Policy

The above are the minimum policies an organization should have in place in order to have a sufficiently robust IT Security program. We won’t go into specific detail about each policy as part of this article. However, we have complied generic templates for each policy which you can download from the OSIbeyond Resource Center. It’s important to note that these templates are just a starting point and that you should heavily customize them to fit the culture and security posture of your organization.

So where do you start in developing IT Security policies?

Identify Your Risk

As a first step to IT security policy development, start looking at the current IT risks and network vulnerabilities of your organization. Do they include inappropriate use of resources? Leakage of confidential information? Or perhaps regulatory compliance. A good way to identify your risks is to have an outside consultant conduct a vulnerability assessment for your organization. This can also be done internally with a combination of monitoring and reporting tools as well as discussions with key members of each department within your organization.

Learn from Peers

Why reinvent the wheel when you can learn from others in your industry? Chances are that other organizations have already ventured down this path and developed IT security policies. If your organization is a nonprofit or association, the ASAE and NTEN communities are a great resource to reach out to your peers. For commercial organizations, there are plenty of resources available online that provide guidance, recommendations, and even templates. NIST provides great resources such as their Cyber Security Framework for industry resources. CIS (Center for Internet Security) provides more technical tools and best practices such as the CIS Controls. These controls provide a prioritized set of actions to protect your organization and data from known cyber-attacks. Finally, SANS is a good source for security research, training etc.

Verify Legal Requirements

Depending the types of data you handle, the location and jurisdiction of your organization, and the industry you operate in, there may be minimum standards which you must implement to ensure the privacy of your network and the integrity of your data. This is especially true for organizations that hold data containing sensitive personal information such as credit card and social security numbers. If your organization does business with entities or consumers in the European Union, you must comply with GDPR.

Don’t Go Overboard

Based on the results of your risk assessment, you should be able to clearly identify the areas of IT risk and thus the level of cyber security that is appropriate for your organization. If your organization already has a well-founded web security program and operates in compliance of your cyber security policies, but just doesn’t have everything documented, then perhaps formalizing existing policies in writing is all that is needed. It is not necessary to implement excessive security measures because they can have a side effect of hindering business operations or encouraging staff to invent workarounds.

Include Your Staff

IT Security policies are only effective if staff adhere to them. Otherwise, you’ll be left policing everyone. The key is to ensure that staff have buy-in and stake in policy development. Communicate early and often with the entire organization. Ensure that everyone is aware why policies must be developed, what the risks are, and the implications of a security incident for the organization and its employees. Include key staff members from each department or functional area, or ask for volunteers who want to participate in the policy development process. Those individuals will have a seat at the table and therefore become your champions to promote the policies within their departments and throughout the organization. This will make implementation much more successful and enforcement much easier.

Provide Plenty of Training

Prior to rolling out new security policies, provide a series of in person staff training sessions, either in an all hands format or by individual department. This will ensure that the staff have an opportunity to understand of what the policies are, why they are being implemented, and what the implications of the cyber security program are to the organization. This will also allow them enough time before the policies take effect to soak it all in as well as ask any questions or address concerns.

Formalize the Process

When it comes time to implement the policies, ensure that all employees have read and signed the new network security policies prior to the effective date. In addition, ensure that the new hire onboarding process includes the signing of these policies. Finally, develop a system to provide all staff a refresh of the policies on an annual basis. This would help ensure adherence, as well as provide the opportunity to inform staff of any updates to the policies.

Enforce Penalties

IT security policies are not just guidelines, but must be a required component of employment at the organization. Your policies should clearly state the penalties for any violation or breaches of these security policies. Should anyone violate these policies, ensure that there is a proper process in place with the human resources department to appropriately reprimand and re-train the employee.

Review and Communicate

Security policies are not a static document that you write once and put on a shelf. They are a living document that is constantly changing as IT, network, and data security threats evolve and organizational changes occur. Ensure that you regularly review security policies to make appropriate modifications and updates. A bi-annual review cycle is a good start, depending on the size and complexity of your organization, a quarterly schedule may be more appropriate. When any changes or modifications are made to a policy, ensure that the staff is properly informed of these changes, even if it is midcycle. A formal communication to all staff would supersede the last version of the policies which they signed.

Monitor Compliance

Finally, security policies are as good as your ability to monitor their compliance. Ensure that your IT team or vendor has the appropriate tools in place to accurately monitor the network environment. Consider tools to monitor Internet/email content, installed applications, and unauthorized devices. Having the right tools in place to properly monitor security configurations is essential to a successful IT security program.