The term “policy” is overused jargon with overlapping and confusing meanings. Information security policy can be several different things. Company or organizational policies that define a value or a position taken on an issue by an organization, system policies which define a particular computer resource, and firewall policies which define rules for what can pass through the boundary are different things with different purposes.
Here are some thoughts related to good information security policy practices.
It is a leading information risk management practice to operate a company and an information security program from a body of company information security policies. A number of legal authorities and security frameworks such as ISO 27001 / 27002, NIST, PCI and HIPAA among them require policy.
These authorities all have an expectation that policies are risk-derived. A risk assessment process that identifies and evaluates the risks to an organization should inform the policy making process. Typically, this means that regular, routine risk assessments are completed and that the organization maintains a catalog or listing of its risk, commonly referred to as a risk register. Policies are then written to ensure that all identified risks are covered.
Of course, there are basics that should be in place that can be identified from the various authorities without much risk assessment effort. These form the foundation of an information security policy base and include:
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Definition of security roles and responsibilities
- Inventory of assets
- Access control policy
- Acceptable use of assets
- Operating procedures for IT management including vulnerability management, logging and monitoring
- Security awareness
- Secure system engineering principles
- Business continuity
- Incident response
- Supplier security policy
- Statutory, regulatory, and contractual requirements
We use a variety of sources for information security policies:
- SANS Information Security Policy Templates (http://www.sans.org/security-resources/policies/) Free
- ISO 27K Toolkit (http://www.iso27001security.com/html/toolkit.html) Free / Open Source
- Open Directory Project Templates (http://www.dmoz.org/Computers/Security/Policy/Sample_Policies/) Free / Open Source
- Information Security Policies Made Easy (http://www.informationshield.com/ispmemain.htm) Commercial
- Many colleges and universities and other public entities open publish their policy sets. Some, of course, have copyright’s protecting their use. Others do not and offer a good source for well written policies.
- We also resell and provide a managed service using TraceCSO’s GRC tool which includes policy templates from Information Security Polices Made Easy. With a GRC tool like TraceCSO an organization can identify and catalog risk, mitigate them through policies and other controls and perform routine information security assessments and audits.
Recommendation for Using Templates
When we started Jacadis we often wrote policies from scratch. That was a time consuming and often expensive effort. It is a benefit that so many templates are available. One word of caution, however. If you choose the template route, particularly if you pick and choose from those available for free or as open source, make certain you invest the time to make terms consistent across all of your information security and organizational policies. It is an audit flag when we find information security policies published by an organization with terms that do not match other company policies. Often this is a sign that the policies are paper only and are not being followed.
A leading practice is for organization’s to review policies annually making sure the policies change as company technology, compliance obligations and risks change.