An essential part of a company's cybersecurity program is the creation and implementation of a workplace security policy, a document that outlines all plans in place to protect physical and information technology (IT) assets; in fact, a policy includes a set of rules, instructions, and information for companies' end users and guests aiming at ensuring a highly secure, reliable, and compliant digital environment. In addition, to give a company's staff a framework to keep the network secure, the scope of any policies is also to raise awareness of the potential risks and shine a light on possible vulnerabilities and how they can be corrected, so that employees can be better equipped to prevent them.
It is clear, then, that devising a good security policy is crucial to an organization's success. Although templates are available and laws and regulations mandate information to include, businesses should make sure to devise a working document that takes into consideration the kind of work the business carries out, the needs of the staff and the types of cyber-related attacks that the organization may encounter.
Before getting into the nuts and bolts of the allowed actions users can take on the company network, it is essential that policy clearly states its purpose. For employees to fully embrace the importance of the material covered, it is essential, in fact, to explain the reasons for the policy existence and, of course, under which authority it is implemented, the regulations that sustain it and who was involved in its development. This last point deserves some accurate planning on the part of the IT staff tasked to prepare the document. It is critical, in fact, that to devise an effective policy as many parties as possible within an organization are involved and consulted, not just IT practitioners. Listening to the concerns and operation requirements of each section is an important passage in the writing of the policies that only in this way can answer to the demands of the organization and serve its needs. A policy that is perceived far from the reality of everyday work of each employee is a document that fails at the start.
In addition to the legal basis and initial information contained in the introductory statements, the first chapters should also include any information on monitoring of communications while using company assets and details on the expectation of privacy or lack of. The policy also needs to identify what are critical assets and sensitive information. An omni-comprehensive policy would be ideal but unrealistic, so it is paramount to identify early in the process the minimum requirements to keep the network safe, which resources and data are mandated to be defended from attacks and prying eyes and which type of breach would cause the most damage to the company assets and reputation.
The section that users pay more attention to, typically, is the one containing all the chapters related to practical information such as password requirements, hardware and software restrictions, and classification of data. A good policy needs to address in detail any operational details concerning all the devices employees might need to use for their work, from specific hardware to mobile phones, laptops, tablets, peripherals, etc.…, but also sites that can be accessed or that are expressly prohibited. The document needs to be clear in what is an allowable use of resources: personal use of assets, allowable e-mails, information on uploading or downloading files or sharing documents, access to social networks and regulations concerning streaming of videos and use of chat systems. This is particularly important in companies that make full use of a distributed workforce with employees tapping into the network from remote locations or mobile devices or that even use personal devices through BYOD (Bring Your Own Device) programs.
Once all guidelines and rules are spelled out, the policy also needs to address in detail the particulars of the company incident program with unambiguous information on what is considered to be an infraction or violation and what are the possible consequences of each misuse of resources. The document might refer to more in-depth policies and standard operative procedures (documents that employees can consult for more detailed information) and to the points of contact employees can turn to when needing to have additional information or report issues.
So far, we have seen what the basic elements that are normally included in a security policy document are; however, merely preparing such a document is not sufficient. To be effective for the protection of the company's digital asset, other aspects need to be considered.
First, the policy must be carefully devised and must strike the right balance between business requirements and security needs. The use of the internet for research, of social networks for communications and relationship-building, as well as the possibility of tapping remotely into company resources and working-on-the-go, are all realities of today's business environment; an overly-restrictive document that impairs the use of these resources would be detrimental to the ability of staff to be productive to the fullest. At the same time, however, it is important to recognize what are the most common mistakes users make and how to better protect the network from vulnerabilities and risks due to their actions.
Clarity is also one the main aspects to be considered. A great security policy is ineffective if concepts are not explicitly stated in a language that anybody, and not just IT geeks, can fully understand. Taking in due consideration whom the audience allows for tailoring of the policy to the real needs of the employees. A policy full of legalese, references to laws and regulations as well as general references to security might satisfy legal requirements but wouldn't do much to guide staff to the correct, safer use of resources. Unambiguous language, specific examples, clear expectations and well-defined consequences for breaches and violations are staples of a well-written policy. It is also important for this document to be as concise as possible. Busy professionals often ignore a lengthy succession of pages; therefore, it is always better to give quick and clear guidelines and create, also, reference documents that address specific issues.
Frequent revising is another important aspect. Policies need to be living documents, often updated, yearly at the very least. This is essential to make sure the guidelines are always in line with the demands of new technologies and address issues that arise in the ever-changing IT landscape. Continuously refreshing the document also conveys to the staff its relevance and importance to the management.
The fourth important aspect of a well-thought-out policy is distribution. The best policy is not at all effective if it is not read, known, referenced. Making sure all personnel are aware of their responsibility and rights when using company IT resources is important, and companies must devise effective (and often creative) ways to make sure they are all aware of the existence of specific regulations and policies. The first exposure should be right at inprocessing with mechanisms that force employees to read and acknowledge the IT security policy to access the systems. Afterward, annual recertification (even through computer-based training, a reality, for example, in many government departments), all-hands meetings to present specific issues or updates, as well as tip-of the-day e-mails and newsletters are all great ways to keep the topic current in the mind of all employees with access to the network.
Management involvement is also essential. Executives that participate in training or that discuss the importance of safe online behaviors are the manifest of how important the topic is for the company and communicates to employees that the safety of the digital assets is of paramount importance and their protection is a critical component of their jobs.
Last, but obviously not least, are the need for compliance and reporting. A good policy needs to address compliance to any regulations the company needs to address. The organization, also, needs to be able to devise a system of monitoring and reporting that shows how employees understand the policy. Keeping track of metrics that can show the level of compliance with IT security regulations, the level of understanding of such rules as well as number of breaches can show how effective the security policy is and how well the staff understands it. This is important to point out which areas might be still unclear and should be addressed and which issues should be tackled in future editions.
"A security policy is a company's best weapon in defending against a possible breach or helping to restore a network and information if a breach has happened," mentions Irfan Shakeel, InfoSec Institute Contributing Writer. As mentioned, however, simply implementing a security policy does not protect the company's digital assets. The entire staff needs to be sensitized on the topic and trained to recognize and respond at least to the most common attacks to minimize the risk of personnel unintentionally mishandling information or disseminating sensitive data to outsiders; this requires additional training and awareness to build and maintain a secure environment. "After all, your employees are the gatekeepers of your company's information, making them the first line of defense against corporate account takeover," tells Frank Sorrentino, CEO of ConnectOne Bank and Forbes contributor.
An awareness program made of formal training, online resources, tips, posters, and campaigns can point out for employees the most critical concepts in the policy and help them focus on what is most relevant to their role. Through case studies and examples taken from real life, employees can relate to the material covered and see its importance in their everyday activities.
Also, a good, multi-faceted security awareness program ensures personnel fully understand the purpose behind an organizational policy to safeguard data and encourages them to engage in individual and collective responsibilities towards taking reasonable measures to mitigate losses arising from a data breach. In fact, a security awareness program is not only designed to educate users on the security policy of an organization, but also in conveying it. That said, a policy is in place also to protect employees and customers in addition to the organization.
A company-wide policy is a fundamental part of a company's IT security strategy only if it is developed through the input of all departments within a company and not only addresses the responsibilities but also takes into consideration the needs of the entire workforce. Although the skeleton of security policies is often the same for businesses of any size, taking the time to tailor the document to the specific needs of each organization while continuously updating and making sure the entire workforce is well aware of the information in the policy ensures true protection of saca business digital environment.