With regard to security culture, the actions, decisions, and judgments of each employee in their use of technology and information can make or break your company’s information security. Do you want a culture of indifference or grudging tolerance toward security, or a culture where it’s well understood that “security is everyone’s job” and vital to the overall success of the business?
The starting point is for everyone to understand what’s expected of them and what to do as they use and manage information and technology on a day-to-day basis. One of the best tools for this purpose is well organized, clearly written policies that are communicated effectively. There are additional benefits to security policies for any size organization or industry. One fundamental benefit is that policies in general document management’s intentions and expectations. As a result, they can provide some degree of liability protection.
Policies also serve to educate or train and can prevent mistakes or misunderstandings. They’re sometimes used for external audiences such as clients, business partners or investors. But again, the most valuable outcome of security policies is to use them to help build a culture of security. The key is how you communicate and then implement your policies. It isn’t enough to just write down the policies and post them in the break room.
Types and Tiers of Policies
The best practice for organizing several types of policies is to use a multi-tiered strategy. First, you’ll need top level, principle-based policies that provide a framework for all others. Here’s an example: Company XYZ shall take steps to comply with all relevant regulatory and industry standards by provisioning and maintaining security controls based on the International Standards Organization (ISO) 27001 Standard and the Payment Card Industry (PCI) Data Security Standard (DSS). The next tier is more specific, but the audience is companywide.
The desired actions are required for everyone. Don’t limit them to IT or any other department. An example of a policy for all employees is an “Acceptable Use of Technology Policy.” It describes both required and prohibited and restricted actions. It might include sections governing the use of email, Internet Cloud Applications, Social Media and personal smartphones.
To go into further detail on one of these sections, an Acceptable Use of Email policy should address the following points:
- No sending of inappropriate content (such as pornography, etc.)
- Allow or prohibit personal email use
- Prohibit forwarding confidential information
- Notify users that email use is monitored
- Explain sanctions for unacceptable behavior
- Require employee agreement to the policy
The U.S. Federal Trade Commission and other regulators consider use of a password policy a necessity. This includes more than internal Windows passwords – third party software must adhere to the policy as well. Include this consideration in initial negotiations with providers, or negotiate with them to update existing contracts. You’ll also need a data classification policy that applies to all employees. There are many ways to classify data, but a popular scheme is to use four categories: public, internal use only, confidential and restricted.
The classification policy should describe each category and include examples. Personally identifiable data, such as employee social security numbers or guest credit card data, belongs in the confidential category. The third tier of policy is more accurately described as procedures. These are written for a particular department or function. In the IT department, configuration rules such as firewall or server rules are often called policies.
A standard firewall rule is to deny by default or to deny all unless a specific IP address is allowed. A fundamental server rule is to remove all factory default settings before installation. These procedures are often the focus of audits and need to be kept up to date as technology products are upgraded or changed. One advantage of having these procedures written, organized, and easily accessible is the ease of onboarding a new employee without making mistakes or overlooking steps.
Training & Awareness
It is a misconception and a significant missed opportunity to view security policies as a checklist task for audits. The goal is to promote a culture where everyone understands security’s importance and their role in it. Training and awareness shouldn’t be a once-a-year quiz or lengthy PowerPoint presentation.
The best way to conduct security policy training and awareness is to approach it as an internal marketing campaign to build enthusiasm. Make senior executives across all departments spokespersons for the effort. Deliver key messages frequently. Create pitches that are catchy, memorable, and easy to understand.
Engage marketing and human resources to help design and implement your training and awareness program. Give prizes and awards to make it fun. Some hotel companies have developed weekly security tips. Others use poster contests to draw attention and boost engagement. You could also give out monthly awards with a certificate and prize. Your core security technology vendors may be willing to sponsor some activities as well.
Policy Enforcement
Have you ever gone over the speed limit when driving a car? Most of us have. Speed limits are enforced with traffic tickets. If there were no traffic tickets or enforcement, would anyone pay attention to the speed limit? The same idea applies to security policies. Failure to adhere to a policy should have consequences or result in disciplinary actions. The severity should be in proportion to the risk the company is exposed to when a policy isn’t followed. Always consult with the human resources and legal departments on the best way to phrase and word disciplinary action in a policy.
Policy Review and Updates
Policies need to change along with the company, with technology, and with new ways of working. Provide a point of contact for policy questions and make it a practice to review and update your policies and procedures at least once a year.
